undefined | Better HN

0 pointsiaresee2y ago0 comments

On our side, Okta is saying the auth is good.

I'm trying my personal account as well and it's telling me MFA isn't set up (it is) and it's making me go through the MFA setup flow again. All attempts to setup another 2FA code in 1Password or to get even an SMS code sent to my phone are failing.

Edit: Personal account with a TOTP 2FA is working again now as well.

This is feeling worse than they're letting on to.

0 comments

alexzeitler2y ago

1 more reply

ThePowerOfFuet2y ago

You really should not be using SMS for 2FA.

salil9992y ago

For my own knowledge, if the options were between using SMS for 2FA or not having 2FA at all then what is better? I've heard mixed things about this.

mtremsal2y ago

SMS 2FA is better than no MFA at all, despite the very valid concerns about SMS. It at least protects against credential stuffing and similar automated attacks.

1 more reply

rezonant2y ago

Well a simswap attack requires the account password, since otherwise you would not be able to receive an SMS message for the two factor part.

But without two factor, only your account credentials are needed.

So yeah, it's definitely better than nothing, you are effectively forcing your opponent to social engineer your carrier, and doing that generally requires knowing the full number and usually at least your name, if not more identifying information that's harder to get, like social security number or equivalent.

Sure, TOTP or other two factor mechanisms are better because they require access to one of your authenticated devices (assuming the TOTP isn't done by a secure enclave), but SMS two factor is definitely better than disabling two factor.

iareseeOP2y ago

You really aren't following along closely enough: all other options were failing for me.

speedgoose2y ago

But you have setup SMS 2FA enabled, which is convenient this time but a big security hole. You should consider disabling it once the situation comes back to normal.

1 more reply

j / k navigate · click thread line to collapse

0 pointsiaresee2y ago0 comments

On our side, Okta is saying the auth is good.

Edit: Personal account with a TOTP 2FA is working again now as well.

This is feeling worse than they're letting on to.

0 comments

alexzeitler2y ago

1 more reply

ThePowerOfFuet2y ago

You really should not be using SMS for 2FA.

salil9992y ago

For my own knowledge, if the options were between using SMS for 2FA or not having 2FA at all then what is better? I've heard mixed things about this.

mtremsal2y ago

SMS 2FA is better than no MFA at all, despite the very valid concerns about SMS. It at least protects against credential stuffing and similar automated attacks.

1 more reply

rezonant2y ago

Well a simswap attack requires the account password, since otherwise you would not be able to receive an SMS message for the two factor part.

But without two factor, only your account credentials are needed.

iareseeOP2y ago

You really aren't following along closely enough: all other options were failing for me.

speedgoose2y ago

But you have setup SMS 2FA enabled, which is convenient this time but a big security hole. You should consider disabling it once the situation comes back to normal.

1 more reply

j / k navigate · click thread line to collapse