undefined | Better HN

0 pointspoutine12y ago0 comments

Oh really? You think that login+password is a trade of equal risk with login+password+sms? Sorry, but the second is clearly has much less risk.

Twitter introduced SMS authentication as a second factor. Do you really think that their number of fraudulent logins for users protected by that second factor hasn't gone down to near zero?

0 comments

2 comments · 1 top-level

pfraze12y ago· 1 in thread

I think some of the use-cases are getting mixed, including by myself and by the author.

I do agree that 2FA, even with cell-phones, will improve the security of the web interface. The CloudFlare breach was caused by using the phone as an independent authenticator (overriding the password) which is not 2FA, as I understand it.

And I agree, the likelihood of SMS interception or spoofing during the verification process seems pretty slim. I'm going to bow out to the security experts at this point.

pyre12y ago

IIRC, GSM has been cracked. I'm not an expert, so I'm not sure how this affects SMS, but as SMS is done via a control channel (that was not originally intended to be used for text messaging), I'm assuming that there are no extra protections there.

Granted, this requires physical proximity though, which definitely raises the bar for any attacker.

j / k navigate · click thread line to collapse