Yeah, and it requires me to use a U2F token, which I can loose, etc. You have to balance security and usability, and SMS as a second factor seems like a perfectly reasonable balance.
In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
> and SMS as a second factor seems like a perfectly reasonable balance.
My point is that it isn't. Unfortunately, today, identity is a true privilege - it pretty much requires purchasing multiple U2F tokens, and that's super shitty. That doesn't mean that SMS 2FA is a good idea - the fact that it can actually reduce your security is very problematic.
There is pretty much no form of second factor that users are worse at passing than backup codes. Even if people print them out (few do), they won't find them when the emergency happens. You need some form of trust that can be bootstrapped again from scratch.
For most of the world, SMS is it. The Nordic countries have the bank if system. But the market is too small. Hopefully the EU-wide identity verification systems solve the scale problem.
This is not using it as a second factor. It is using it as the only factor. Having SMS as the only factor is not purely additive. As such it can (and obviously does) reduce security.
Account recovery is hard, SMS is quite usable there, but way to insecure to be the only basis for bootstrapping account recovery.
You are forgetting social engineering. Humans find it reassuring that the security process happened as usual, even if in fact the apparently "usual" process was them being being phished. This can mean they're actually less alert than they would be otherwise.
You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course, and then it tells you that you'll get an SMS and to type in the code so you do so. Phew! Disaster averted! Right? This must have been real, you even got an SMS from the bank.
Alas the SMS was from your bank, and the bad guys didn't have a way to intercept it, but they didn't need one because you typed it into their phishing website. That unexpected $500 transaction wasn't real, but their emptying of your bank account will be.
It most certainly can reduce security, that's the point. If I don't have a phone number on my account (which I almost universally don't) then no amount of SMS hijacking will ever matter.
If some provider forces me to put a phone number in, now I may be vulnerable to a weakness I didn't want to be vulnerable to. Maaybe today that particular provider uses SMS in a stricly additive sense. Maybe. Just as likely next month they'll redesign their site to be "easier" and add back the vulnerability.
Same with recovery questions. They make the security stricly worse for most people since they are password-equivalents with far lower entropy. Although personally my best friend from high school was named D3ho9WvylJkws1zfAKUxZjdYuCsS.
I responded to this in another post.
> There is pretty much no form of second factor that users are worse at passing than backup codes.
Agreed, I also mentioned backup U2F. At this point modern smart phones package TPMs that can also do attestation, so we're really not too far away from being in a situation where the vast majority of people have a U2F token in their pocket.
Which have either higher costs or "administrative burden" or both which will lead them to failure for a big chunk of non tech-savvy people. Educating a casual user that they need to print out recovery codes and store them in a safe place it's not exactly top notch usability.
So then have two U2F tokens. Or use your phone's TPM as a U2F token. The usability of phone-based U2F is quite good.
The only way it can ever actively reduce your security is if it's used as a single factor, as it was for the OP.
I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else. Every piece of information the attacker can get is valuable for forging auth.
What SMS is good at is being available. At this point cell phones are distributed to a massive portion of the world. But at this point smartphones can also act as U2F devices, I believe, so I'm not sure that benefit is so meaningful anymore.
Instead of companies wasting time on SMS 2FA they should be figuring out how to help their customers set up U2F.
I'd like to avoid being in a situation in 10 years where we have great options for end users available but 2FA SMS is still supported for legacy reasons, and unwitting users end up using it because it seems easier and they don't understand the risks.
I witnessed so many people lose access to their accounts because they wiped their phone that had an authenticator app, or they lost their physical 2FA tool.
1. You increase the risk of losing your entire life (if 2FA is properly implemented and avoids all social engineering process risks)
or
2. The 2nd factor devolves into a 2nd way to get access to your account
You really can't have both security and convenience.
> wiped their phone that had an authenticator app
try this one: battery dies in an iPhone. iPhone won't boot until battery is replaced. Battery can only be replaced at an Apple store. 2FA: do you feel lucky, punk?
But it is a whole lot of extra work to set up and maintain long-term, even with the best intentions.
This is really great advice.
I do something similar. I have a copy of the recovery codes (where possible) in an encrypted volume with multiple copies. Also printouts. The printouts have saved me once already.
Also, don't underestimate the utility of carrying around an encrypted SD card with things you want to retain access to!
Put a plan together for the "house burns down" scenario.
With U2F I need to enroll multiple tokens and keep some off-site. So what does this entail? I keep maybe 3 tokens, two on-site that I add the new account to, then on a regular schedule I rotate one off-site and bring the third one on-site and go back through and add it to any accounts I've created in the meantime? The whole process is a pain in the ass, and not all sites allow multiple devices to be registered (e.g., AWS). And new accounts are still vulnerable during the time between registering and rotating the third key on-site.
With TOTP you can... just sync your TOTP database. Some apps such as Microsoft Authenticator do this on their own. Personally, I put all my TOTP secrets into a Keepass database and sync it off-site with Nextcloud. There is no way for the site to limit how many devices I enroll so it's easy enough to create as many backup devices as you need. If you're really old school, you can print the secrets and put them in a fire safe.
FWIW, I have several yubikeys. I primarily use them as a secure store for TOTP secrets and to store a SSH key (generated off-device and backed up), not for webauthn. It's just too annoying to deal with in a way that ensures I don't lock myself out of an account.
Every modern TOTP app is cloud-synced, so I'm not sure why people are saying it's "a pain in the ass if you lose your device."
Heck, most modern password managers (e.g. 1Password, LastPass, etc.) are also TOTP, and help you fill the TOTP token (usually by putting in on your clipboard) at the same time they autofill the password.
> It is also weak to phishing (extremely common) but adds protection against SIM-swapping (comparatively very rare).
Sufficient paranoia / user training is enough to protect against phishing. (Especially for services where the only "users" are the extremely-paranoid IT admins themselves.) But nothing can really protect you from SIM-swapping, save for not allowing services that use single-factor SMS recovery to ever know your phone number in the first place.
How many services do that today? And since so few people have fallbacks what is their recovery process like? Because the hackers will find the weaknesses.
AWS is the counter-example which will be (indeed already has been in this HN comment tree) cited as proof sites don't all do this, I've tried asking if there are literally any others, and never received any ideas. I don't currently have an employer and I don't use AWS for personal projects.
It's pretty common for sites that actually care about authenticating you (so, Google but not your Bank, GitHub but not your mortgage lender) to provide you with single use bypass codes which they tell you to write down and keep somewhere safe.
This is more portable than U2F tokens since client-side certificates are part of the TLS standard and should be supported regardless of the application protocol used. Adding other devices could be done by sending a CSR along with the username and password and authorizing the second device from first device that's already logged into the account.
But Mozilla, and Google double teamed to sink it in W3C to push their own bicycle reinvention attempts, which after 10+ years, multiple incompatible versions, and errata ridden revisions are still not there.
https://lists.w3.org/Archives/Public/www-tag/2015Sep/0001.ht...
Google needs to be kicked out of W3C
(Unless you use a solution like Authy with multiple devices, which strikes me as the most sensible solution.)
All of that made me switch to Microsoft Authenticator, as they do have both multi-device sync and "recover from backup" feature as well, so now I don't need to be stressed about my phone getting lost. Kind of sad, given that I've been a user of Google Authenticator for quite many years until that point.
Best compromise between usability, access and recovery is to always use TOTP but be sure to always securely back up the secret offline. Don't ever just scan it into a single device, as then you're back to being able to lose it and be locked out.
IMO both the mobile provider and the web site operator should be jointly liable for damages resulting from SMS 2FA abuse. The mobile operator for giving access to your phone number to an unauthorized person, the web site operator for using a known insecure technique.
Both the number of successful hijackings and companies using SMS 2FA would drop drastically.
Besides, I don't believe coinbase does SMS only account recovery. So here SMS really did fail as a second factor. Since it seems attackers must have had a password and SMS. (I am not 100% on the coinbase account recovery process)
So the hacker only needed to hijack his SMS.... with that, they gained access to his email, and then with that gained access to coinbase. No password required.
Proper support would mean allowing multiple tokens, so that you can have one permanently on your keychain, one permanently in your computer at home, and an off site backup pair that you rotate (enroll the one that is at home, then swap and enroll the other one).
On desktop, touching a U2F token is a lot easier than typing numbers from a SMS, and it actually protects against one of the biggest threats, phishing (the SMS does not - if the phisher bothers to ask for it, the user, who thinks that they're logging into the legit web site, will enter it).
