1. 20
  1.  

  2. 7

    When a service enables SMS-2FA, an attacker can simply move to a different service. This means that a new attack isn’t necessary, just a new service. The problem is not solved or even mitigated, the user is still compromised and the problem is simply shifted around.

    I don’t understand this bit: Doesn’t that protect against credential stuffing for this particular service? And if all services did it, wouldn’t that globally prevent credential stuffing?

    1. 5

      Agree, I don’t understand this part of the argument. My understanding of the argument and response is that “yes, requiring SMS 2FA for login does protect that service against credential stuffing”.

      The best interpretation I can make of the response is that “one service implementing it doesn’t solve the general, world wide problem of credential stuffing”, which doesn’t seem a reasonable counter argument to me.

      (Which bothers me, since I assume that taviso has thought more deeply about these things than I have, so I’m wondering what I’m missing)

      1. 2

        I think this argument would stand up if all services were equally valuable but they aren’t. You may succeed in compromising an account but is my lobsters account really as valuable to an attacker as my bank or email account? I think not.

      2. 7

        For what it’s worth, I’ve stopped using many services because they wouldn’t just let me log in: Everything is about clicking a link, an email, a text, whatever… Leave me alone!

        1. 3

          I agree, it is almost like they are deliberately making sign in processes more annoying.

          But what bothers me even more is that I don’t want to hand over my personal phone number to $BIGCORP just to sign in to their fucking service. Creating a throwaway email address is easy, but for phone numbers that’s just not feasible. I simply don’t trust them not to sell this information or to start spamming or calling me on my phone.

          My phone number is personally identifiable information which has absolutely nothing to do with me using a service. I would want to tell all these services to fuck off already.

          1. 2

            This is true even for GitHub.

            Every time I want to login they send me a verification code. I guess it’s because I enabled tracking protection in Firefox and (auto-)clean cookies…

          2. 4

            When the user is as technically proficient as the OP, then you do not need it. When your userbase is banks and you’re required to have some form of 2FA within a userbase that does not necessarily owns (or can use) a smartphone, then SMS-2FA might be your only choice for 2FA (or 1FA, if you view the password part as an easy guessable constant and the time limited SMS token as the actual password). The world runs on trade-offs and this is one of them.

            1. 1
              1. 11

                Better than nothing perhaps, but the least secure of all 2fa methods (even in your link), as well as being cloneable/hijackable and vulnerable to “vendor social engineering”. Not to mention requires handing your phone number off to a company, to increase your targeting profile, to be added to txt spam lists, and/or sold to other companies so they can advertiser to (spam) you.

                Hardware tokens, push-message-based, even totp, all are superior. Why even spend the dev cycles implementing something marginal like SMS-2fa, paying for txt messaging (and/or integrating with an sms vendor), when you can just do something better instead (and arguably more easily)?

                1. 5

                  Not to mention requires handing your phone number off to a company, to increase your targeting profile, to be added to txt spam lists, and/or sold to other companies so they can advertiser to (spam) you.

                  It’s also a pain in areas with poor or intermittent mobile coverage.

                  1. 1

                    The criticism in the article seems to be mostly around phishing attacks. Are these other approaches more resilient to phishing? With the suggestion of randomized passwords as the best alternative, the author seems to be against any kind of 2FA.

                    1. 5

                      Are these other approaches more resilient to phishing? With the suggestion of randomized passwords as the best alternative, the author seems to be against any kind of 2FA.

                      U2F and WebAuthn categorically prevent phishing by binding the domain into the hardware device.challenge response.

                      1. 5

                        The author also states:

                        If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.

                        So I don’t think the author is against 2FA in general, just specifically SMS-2FA.

                        Also note the first suggestion of using a password manager is, in my opinion, a bit nuanced, because “how to use a password manager” includes having the manager fill in credentials for you, and the password manager restricting this to only on the correct domain defined for the password.

                        Are these other approaches more resilient to phishing?

                        I would say U2F, FIDO2, WebAuthn is far more resilient to phishing, yes.

                        “A good password manager”? As I mentioned above I feel this one is more tenuous. I personally feel users could easily be tricked to copy/pasting credentials out of a password manager, since users have the expectation that software in general is kind of clunky and broken so “it must not be working right so I’ll do it manually”. As such, I’m not sure I necessarily agree that just using a good password manager is sufficient to prevent phishing. It would be interesting to see stats on it though, as my hunch is just that and has no scientific basis or real evidence behind it.

                        TOTP as a 2nd factor is presumably just as vulnerable to phishing as a password alone, but being an extra step and relatively out of band from normal credential flow, but for preventing automated (non-phishing) attacks, seems useful. In my opinion better than SMS-2FA, but nowhere near as good as U2F, FIDO2, WebAuthn.

                        push-message-based tokens (like Okta uses for example) are, presumably (caveat I’m not a security professional) as secure as the weakest link of vendors involved: push-vendor (eg. google, apple) and token vendor (eg. okta). Generally requires server side integration/credentials to get the vendor to invoke the push, and are typically device locked.

                        1. 2

                          “A good password manager”? As I mentioned above I feel this one is more tenuous. I personally feel users could easily be tricked to copy/pasting credentials out of a password manager, since users have the expectation that software in general is kind of clunky and broken so “it must not be working right so I’ll do it manually”.

                          I can’t count the number of times I have copy/pasted a password because the Firefox password manager saved the credentials for one login form on the site, but then didn’t autofill them on a different form. Maybe that means that it doesn’t count as a “good password manager” though? I guess I should be filing bugs on these cases anyway.

                          1. 2

                            Same. I also have a few sites that don’t even work well with 1password (generally considered pretty decent). Some sites also seem to go out of their way to make password managers not work. Why?! ;_;

                    2. 3

                      Good link!

                      I posted this because I think it’s interesting to see articulated arguments for a position I’m surprised by.

                      1. 6

                        Google wants to know our phone numbers. From that research, we can see that a phone number is effective in deterring some attacks. The question I would ask is, can we achieve similar security through other means? For example, even Google shows that On-device prompts or security tokens are better than SMS.

                        So please, if you think you must, offer SMS. But also offer other 2FA options and especially don’t force collect phone numbers if you can avoid it.