@Zambyte incorrect

False sense of security

Disclosure of private information

@spoon @sir I'm on board with not needlessly sharing personally identifying information. But as far as raw account security I still think SMS 2FA is better than no 2FA at all.

@Zambyte @sir Fair. The problem I think is foward-looking, when you're /designing/ a system and make that choice because it's "better than nothing." Doing that provides cover for services that repurpose phone numbers for marketing, among other asshattery. If nobody accepted that bad design choice, we'd all be much better off. So "don't fucking use SMS for 2FA" makes some sense to me.

@Zambyte @sir Yep.

For all its flaws, SMS as a second factor stops the most common attacks. Yes, TOTP, physical tokens, and challenge-response are all harder to defeat. SMS 2FA—warts and all—is still categorically better than passwords alone.

It’s easy to slip into black & white “it’s either secure or it’s not” thinking, but security is always about tradeoffs.

@mkb @Zambyte @sir also note that in case of online.banking, with SMS you can see the details of the transaction you're approving. Can't do that with TOTP.

I wish banks used something like Ledger Nano (basically a USB smartcard with LCD and 2 buttons) for 2FA

@sir I do. With my bank. 2FA is legally mandatory with Online Banking here. The alternative would be a proprietary app for my smartphone or one of these reidiculously expensive smartcard readers. I do not even own a smartphone. But it's all broken anyways, because I can just call my Bank and authorize transactions with a 5-digit PIN I tell them on the phone

@sir I actually switched banks to be able to do this. Technically, I do not even have 2FA, because at least Klarna knows my banking credentials

@waweic @sir are you sure it would require a proprietary app? some stuff might say it needs google authenticator or microsoft authenticator, but anything that talks TOTP should work, like "andOTP" from F-Droid. you can also use keepassxc on your PC.

@brad @waweic @sir from what I've seen, it's never Google Authenticator, but the bank's own mobile banking app

@brad @sir I would be so glad if it was an open standard like TOTP. But sadly, I am pretty sure that it isn't. It can either send a TAN (transaction number) with a push message from a distant server or it even confirms the transaction in the app itself

@waweic +1 for refusing 2FA if it implies installing a proprietary app stuffed with spywares. #DSP2 is ridiculous.


@sir i really don't understand how come banks don't use hardware keys. there were some scams where people forged IDs of the victim, got a new sim card and use it to steal home banking credentials.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!