I’m surprised it’s taken so long… (and just as enterprise software starts adopting MFA, quite often via SMS-distributed tokens).
If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.
Even that’s not a hugely beneficial improvement - I’ve read countless stories of numbers being ported to new SIMs and then used for attacks…
While I agree that SMS as a factor isn’t the best idea, it’s absolutely good enough for the majority of use cases. SS7 won’t be exploited by your typical hacker (hacker for lack of a better term, scammer or friend-with-a-keylogger is more appropriate) so this is still all the protection most people of the public will need.
For those who require better security there’s Authy and Duo push, Yubikeys, RSA soft tokens, and finally smartcards and hardware OTP tokens.
The problem is, most people understand the process of entering a code they receive via text, plus it links a phone to an account for more robust real world account verification. Other second factors aren’t as easy to use unless you understand what’s going on. Duo push is a mess half the time. Also, SMS works on a Nokia from 1993 - Google Authenticator does not.
I’d argue that 2FA took off because of the ease of use and availability of SMS. That’s not to say that we shouldnt push forward to better things, only that maybe it’s too soon for the government to call it insecure.
This is a case of perfect being the enemy of good enough.
In the end this won’t affect my login flows, so I could ignore it and look forward to more accounts in Authy. On the other hand, I hope this doesn’t discourage people from using 2FA because they’ll have to install an app or carry a thing with them everywhere.
I’m surprised it’s taken so long… (and just as enterprise software starts adopting MFA, quite often via SMS-distributed tokens).
Even that’s not a hugely beneficial improvement - I’ve read countless stories of numbers being ported to new SIMs and then used for attacks…
[Comment removed by author]
That, and the mobile telecommunications backend network SS7 isn’t secure.
What about if used in 3 factor authentication? Just add email as well?
While I agree that SMS as a factor isn’t the best idea, it’s absolutely good enough for the majority of use cases. SS7 won’t be exploited by your typical hacker (hacker for lack of a better term, scammer or friend-with-a-keylogger is more appropriate) so this is still all the protection most people of the public will need.
For those who require better security there’s Authy and Duo push, Yubikeys, RSA soft tokens, and finally smartcards and hardware OTP tokens.
The problem is, most people understand the process of entering a code they receive via text, plus it links a phone to an account for more robust real world account verification. Other second factors aren’t as easy to use unless you understand what’s going on. Duo push is a mess half the time. Also, SMS works on a Nokia from 1993 - Google Authenticator does not.
I’d argue that 2FA took off because of the ease of use and availability of SMS. That’s not to say that we shouldnt push forward to better things, only that maybe it’s too soon for the government to call it insecure.
This is a case of perfect being the enemy of good enough.
In the end this won’t affect my login flows, so I could ignore it and look forward to more accounts in Authy. On the other hand, I hope this doesn’t discourage people from using 2FA because they’ll have to install an app or carry a thing with them everywhere.