undefined | Better HN

chrismorgan4y ago· 1 in thread

They still need your password. The SMS alone is insufficient. Supporting SMS as a second factor (whether primary or backup) is perfectly adequate for almost everyone’s threat model, and generally far superior to not supporting it as regards avoiding account lockout. (That’s Fastmail’s position, which I thoroughly agree with.)

MattPalmer1086OP4y ago

I agree it's probably better than nothing for many people.

It's still pretty much the worst form of 2fa there is, and not nearly as secure as people assume.

blfr4y ago· 1 in thread

It's not useless. It forces the attacker to expand all the effort to get a SIM for your number. While certainly possible, it's not that easy.

MattPalmer1086OP4y ago

I said it's useless if an attacker can get access to a SIM (or hack the SS7 protocol, or whatever).

Clearly it's an extra bar for an attacker, no disagreement there.

jeromegv4y ago

But they need your password first. So you’re not in a worse position than if you didn’t have 2FA. Parent was implying 2FA made it worse.

0 comments

0 comments