undefined | Better HN

0 pointslatchkey6y ago0 comments

SMS 2FA isn't more secure than just a password. It actually opens up holes.

When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

0 comments

philnash6y ago

The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.

latchkeyOP6y ago

The point being that had it been 2FA, it would have been the same hole.

philnash6y ago

There are a numbers of things here that are true.

* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.

* Applications that do 2FA via SMS do not necessarily do account resets via SMS

* 2FA over SMS is more secure than just having a password to secure an account.

I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.

1 more reply

j / k navigate · click thread line to collapse

0 pointslatchkey6y ago0 comments

SMS 2FA isn't more secure than just a password. It actually opens up holes.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

0 comments

philnash6y ago

latchkeyOP6y ago

The point being that had it been 2FA, it would have been the same hole.

philnash6y ago

There are a numbers of things here that are true.

* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.

* Applications that do 2FA via SMS do not necessarily do account resets via SMS

* 2FA over SMS is more secure than just having a password to secure an account.

1 more reply

j / k navigate · click thread line to collapse