What are your thoughts on SMS-based 2FA? Assuming it's the only 2FA option (or the account defaults to it even though there are more secure MFA options on the account), would you use it? I know everyone has different thoughts on this but it's inherently insecure and I'm not sure I agree that it's "better than nothing"...
Maybe SMS is not the best option, but I still think that any 2FA option is "better than nothing". Just my 2 cents. PS: Welcome to Wilders.
I agree, I also think it's better than nothing. Although I use 2FA only for accounts that are important to me.
Not sure what you mean by hardware secured email. I simply use one of my email addresses for the address to send to. Reason I don't want to use SMS is I live on one country and require access in another country.
SMS verification is 2FA. Any additional verification to name/pass is 2FA. SMS has advantage if no smartphone with 2FA-app is available, i can receive SMS on my older mobile phone or on home phone. smart phone with app has disadvantage when using paypal and losing the phone however - you cant login anymore and need to call support to (re)set 2FA method to SMS. 2FA for firefox accounts only need a 6-number generator and email. any phone usable. 2FA for my bank need a special app, which i need to verify with a TAN. (keep TAN at a safe place for this!) after verification setup I only need a (one) safe password to allow my (online) transactions in a browser after login. some pages send email that someone had logged in, eg google, dropbox, mozilla, aso.
Thanks for all the replies! Can someone be kind enough to also read my post on the thread at: https://www.wilderssecurity.com/threads/port-out-scam-damage-with.438358/ I'm wondering if, assuming all else fails in a SIM swap attack, a hardware-secured email should stop an attacker from doing too much damage? I think the entire scam relies on accessing email which I feel confident is secure...but you never know with carriers these days. Any thoughts appreciated!
If an email option is better than nothing than not by much in my opinion. Too many people reuse passwords. If any of your account were compromised, then your email might be too. So when someone hijacks your email and resets your other accounts, guess who gets the 2FA notification to finish the job?
I have unique passwords, and the list is long. I know about some breaches in the past like adobe, malwarebytes and some other pages which do not exist any longer (except the first two, 8 years ago and fixed). the latest breach list is pretty pointless as it only tells me that a certain email address is on that list with password and some other data. at least it does not tell me which page has been breached. and for sure i wont insert passwords i use which are transmitted in plain text, i am not that stupid. the curiosity for paypal is, when i login i ned to verify - if i pay with PP on ebay, i dont not need. i even dont get a mail. not ok.
Thanks for the comment. I think email secured with a hardware key is the way to go. I would never send codes to an email otherwise.
ebay and paypal have left each other in 2020, paypal will be optional until 2023, not further, but until 2021 ayden should be established.
I see your point. I don't reuse any passwords, all are unique. I loose my password database I'm toast. Yes I have backups. The 2FA code is only active for a limited time, once used it can't be used again. The only time I see the code is when I try to access my account, they send the code, I enter it. The end. How is someone going to reset my other accounts, if they don't know what they are. Perhaps I am missing something here.
Can anyone who posted in this thread kindly tell me if passwords can be reset via SMS 2FA alone? Or will scammers also need email access to complete the account takeover? Do some organizations allow for password reset with just the 2FA code?
It depends on the service. Real 2FA, as name implies, must not allow password reset with just sms, but many companies allow to log in with just a sms - I look at you Yahoo (Verizon).
It's better than nothing, but 2FA via SMS isn't safe enough, because of SIM swapping and SMS redirecting attacks, see third link. That's why in the future most websites will switch to authentication apps. Hopefully these apps will also run on desktops/laptops/tablets so that we don't need or smartphones for 2FA. And I also hope that more websites will support hardware based security keys in the future, like from Yubico. https://doubleoctopus.com/blog/sim-swapping-2nd-factor-authentication/ https://www.howtogeek.com/668922/how-to-protect-yourself-from-sim-swapping-attacks/ https://www.theverge.com/2021/3/15/22332315/sms-redirect-flaw-exploit-text-message-hijacking-hacking
Thanks for the info! Do you know if there's a list online somewhere of companies with weak 2FA that allows password reset via SMS only?