Please stop telling people who don’t know better not to use SMS 2FA. Some other factor is better than no other factor, and not everyone has an adversary that will do SIM cloning or an SS7 attack

· MastodonToTwitter · 6 · 28 · 31

@wxcafe Agreed! Also I do know better and I still use SMS 2FA for a lot of things because fuck if I'm going to get locked out of my account because my OTP app isn't accessible to me at the moment.

@fluffy @wxcafe

OTP App is one of the best in my opinion, but never forget doing a backup on another device. I had to reinstall my smartphone (due to it crashed) and couldn't get my backup .. I just locked my :facebook: account :oh_no:

@ralaud @wxcafe I’ve been using Authenticator by Matt Rubin, since it has some nice creature comforts. But a full backup isn’t one of them. :(

@ralaud @wxcafe also all this time I thought I worked with the author in the past but it turns out to be a different Matt Rubin, oops.

oh well it's still pretty good.

@fluffy @wxcafe

This one can create an encrypted backup, but it is only for android ..

@ralaud @wxcafe the app I use is adamant about not letting you do backups of your own or having any way of transferring the secret anywhere else, although it does at least allow backups to happen in an iTunes encrypted backup (which is what I use).

This one claims to allow users to transfer the secrets and such; maybe I'll try it out:

@fluffy @wxcafe

Is this open source?

In my opinion software which helps to be more secure need to be open sourced, to be sure that it is secure. Even if you dont look up the whole source code, at least it would be harder to exploit this software.

You don't need SIM cloning or an SS7 attack, all you need is social engineering the telco's tech support, which is relatipvely easy and has been already done multiple times.

So SMS 2FA is more of a false sense of security than anything else.

Another problem is that many services, including banks, still offer no 2FA other than SMS 2FA, unless you're a business customer.

@Wolf480pl @wxcafe you still need the phishing site *and* the social engineering part.

It's *still* more secure than just the password.

It's *still* better for most people than just the password.

@rysiek @Wolf480pl @wxcafe all they need to do is walk into a local phone store with a sob story. The store employees are poorly trained and easily fooled or bribed. I know, it happened to me.

You are a fool if you have any substantial money they can be stolen via SMS password reset of your email or bank account.

Google Authenticator or Authy are much safer and not hard to use. saved my ass when my number was hijacked.

@wxcafe though social engineering a sim card swap is probably less than 100$ of labor. So yes its better but if your account has a cash value you need better

@wxcafe Also, I know for me, my cell service goes off, and I forget my passwords, so like, how am I supposed to retrieve my passwords then? The emphasis should be on not to hack, not finding ways to blame people for "not being secure enough".

Sign in to participate in the conversation

This is a mastodon instance for social justice activists, LGBTQIA+ people, and activists in general See the Goals and technical details, and Rules and privacy policy pages for more information