In this particular case, it seems that two-factor authentication wasn’t the security cure-all that many of us in the industry want it to be.
When a system uses SMS and calls it “two-factor auth”, it is on the same level of security as calling the keyboard you enter your password with a “second factor”.
How do you figure? SMS 2FA is still technically “two factors”, in that you have to verify you are in possession of the account password and of the phone you have registered. However, I think the author is confusing 2FA with Google’s “backup” authentication mechanism.
How did this happen? I had two-factor authentication turned on for Google (remember how I said I would occasionally get auth code texts that I hadn’t requested?).
I think those auth code texts are what Google sends when you do “Forgot my Password” and you have a phone number stored with them. In reality, this backup authentication mechanism is better than the stupid security questions since it’s harder to compromise, although after reading this story, I’d probably recommend no phone number on file and just enter randomly generated passwords as security question answers that you also store in your password manager. This way there is no “easy” reset mechanism at all.
Because you do not actually have to be in possession of the phone, just use one of many ways of intercepting SMSs sent to it. As the legitimate user this feels like it’s a second factor of “something you have”, but in reality it’s as insecure as unencrypted radio signals, smooth-talking tier 1 outsourced customer support, etc.
I think the author’s and pushcx’s point is that while a phone is technically a second factor, it is easily bypassed by a clueless customer service rep at your wireless company that is willing to forward your number to someone else (or a weak/nonexistent default password to do it through a hidden service menu on the provider’s system).
There’s a whole world of poorly-documented phone service functionality that is frequently insecure/misconfigured and makes a phone (whether text or phone call) a poor means of securing data.
I think the author is confused because Google confused them. Google has for years tried to get me to give them my phone number for backup reset purposes. They always insist this will make my account more secure.
To be fair, in this case it didn’t matter that he had 2FA enabled. You can always recover your Google Account using a phone number if you have it setup for that (a lot of people do).
All it goes to show is that phone services are still terribly insecure.
When a system uses SMS and calls it “two-factor auth”, it is on the same level of security as calling the keyboard you enter your password with a “second factor”.
How do you figure? SMS 2FA is still technically “two factors”, in that you have to verify you are in possession of the account password and of the phone you have registered. However, I think the author is confusing 2FA with Google’s “backup” authentication mechanism.
I think those auth code texts are what Google sends when you do “Forgot my Password” and you have a phone number stored with them. In reality, this backup authentication mechanism is better than the stupid security questions since it’s harder to compromise, although after reading this story, I’d probably recommend no phone number on file and just enter randomly generated passwords as security question answers that you also store in your password manager. This way there is no “easy” reset mechanism at all.
SMS authentication is two-step verification, as opposed to 2FA. A good diagram is here.
Because you do not actually have to be in possession of the phone, just use one of many ways of intercepting SMSs sent to it. As the legitimate user this feels like it’s a second factor of “something you have”, but in reality it’s as insecure as unencrypted radio signals, smooth-talking tier 1 outsourced customer support, etc.
I think the author’s and pushcx’s point is that while a phone is technically a second factor, it is easily bypassed by a clueless customer service rep at your wireless company that is willing to forward your number to someone else (or a weak/nonexistent default password to do it through a hidden service menu on the provider’s system).
There’s a whole world of poorly-documented phone service functionality that is frequently insecure/misconfigured and makes a phone (whether text or phone call) a poor means of securing data.
I think the author is confused because Google confused them. Google has for years tried to get me to give them my phone number for backup reset purposes. They always insist this will make my account more secure.
To be fair, in this case it didn’t matter that he had 2FA enabled. You can always recover your Google Account using a phone number if you have it setup for that (a lot of people do).
All it goes to show is that phone services are still terribly insecure.