@sir CMV: SMS for 2FA > no 2FA
False sense of security
Disclosure of private information
@Zambyte @sir Fair. The problem I think is foward-looking, when you're /designing/ a system and make that choice because it's "better than nothing." Doing that provides cover for services that repurpose phone numbers for marketing, among other asshattery. If nobody accepted that bad design choice, we'd all be much better off. So "don't fucking use SMS for 2FA" makes some sense to me.
For all its flaws, SMS as a second factor stops the most common attacks. Yes, TOTP, physical tokens, and challenge-response are all harder to defeat. SMS 2FA—warts and all—is still categorically better than passwords alone.
It’s easy to slip into black & white “it’s either secure or it’s not” thinking, but security is always about tradeoffs.
@sir I do. With my bank. 2FA is legally mandatory with Online Banking here. The alternative would be a proprietary app for my smartphone or one of these reidiculously expensive smartcard readers. I do not even own a smartphone. But it's all broken anyways, because I can just call my Bank and authorize transactions with a 5-digit PIN I tell them on the phone
@sir I actually switched banks to be able to do this. Technically, I do not even have 2FA, because at least Klarna knows my banking credentials
@sir tbf try not to use sms in general
@sir Tell that to Apple 🙄
@sir i really don't understand how come banks don't use hardware keys. there were some scams where people forged IDs of the victim, got a new sim card and use it to steal home banking credentials.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!