SMS-Based 2FA or No?

Discussion in 'mobile device security' started by whatsnext, Jun 13, 2021.

  1. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    What are your thoughts on SMS-based 2FA?

    Assuming it's the only 2FA option (or the account defaults to it even though there are more secure MFA options on the account), would you use it?

    I know everyone has different thoughts on this but it's inherently insecure and I'm not sure I agree that it's "better than nothing"...
     
  2. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Maybe SMS is not the best option, but I still think that any 2FA option is "better than nothing". Just my 2 cents.

    PS: Welcome to Wilders.:)
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I agree, I also think it's better than nothing. Although I use 2FA only for accounts that are important to me.
     
  4. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Thanks!
     
  5. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    I prefer email for 2FA.
     
  6. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Thanks for the reply. So do I assuming it's hardware secured email.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    nope, it's simply a rescue email account and i prefer that too.
     
  8. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    Not sure what you mean by hardware secured email. I simply use one of my email addresses for the address to send to.

    Reason I don't want to use SMS is I live on one country and require access in another country.
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    SMS verification is 2FA. Any additional verification to name/pass is 2FA.

    SMS has advantage if no smartphone with 2FA-app is available, i can receive SMS on my older mobile phone or on home phone. smart phone with app has disadvantage when using paypal and losing the phone however - you cant login anymore and need to call support to (re)set 2FA method to SMS.

    2FA for firefox accounts only need a 6-number generator and email. any phone usable.

    2FA for my bank need a special app, which i need to verify with a TAN. (keep TAN at a safe place for this!)
    after verification setup I only need a (one) safe password to allow my (online) transactions in a browser after login.

    some pages send email that someone had logged in, eg google, dropbox, mozilla, aso.
     
  10. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Thanks for all the replies!

    Can someone be kind enough to also read my post on the thread at:
    https://www.wilderssecurity.com/threads/port-out-scam-damage-with.438358/

    I'm wondering if, assuming all else fails in a SIM swap attack, a hardware-secured email should stop an attacker from doing too much damage? I think the entire scam relies on accessing email which I feel confident is secure...but you never know with carriers these days.

    Any thoughts appreciated!
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    If an email option is better than nothing than not by much in my opinion. Too many people reuse passwords. If any of your account were compromised, then your email might be too. So when someone hijacks your email and resets your other accounts, guess who gets the 2FA notification to finish the job?
     
  12. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    solid point. i'll review my decision.
     
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    I have unique passwords, and the list is long. I know about some breaches in the past like adobe, malwarebytes and some other pages which do not exist any longer (except the first two, 8 years ago and fixed). the latest breach list is pretty pointless as it only tells me that a certain email address is on that list with password and some other data. at least it does not tell me which page has been breached. and for sure i wont insert passwords i use which are transmitted in plain text, i am not that stupid.

    the curiosity for paypal is, when i login i ned to verify - if i pay with PP on ebay, i dont not need. i even dont get a mail. not ok.
     
  14. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Thanks for the comment. I think email secured with a hardware key is the way to go. I would never send codes to an email otherwise.
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    ebay owns PayPal so I would not be surprised at this.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    ebay and paypal have left each other in 2020, paypal will be optional until 2023, not further, but until 2021 ayden should be established.
     
  17. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    I see your point. I don't reuse any passwords, all are unique. I loose my password database I'm toast. ;) Yes I have backups.

    The 2FA code is only active for a limited time, once used it can't be used again. The only time I see the code is when I try to access my account, they send the code, I enter it. The end. How is someone going to reset my other accounts, if they don't know what they are. Perhaps I am missing something here.
     
  18. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Can anyone who posted in this thread kindly tell me if passwords can be reset via SMS 2FA alone? Or will scammers also need email access to complete the account takeover? Do some organizations allow for password reset with just the 2FA code?
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    It depends on the service. Real 2FA, as name implies, must not allow password reset with just sms, but many companies allow to log in with just a sms - I look at you Yahoo (Verizon).
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's better than nothing, but 2FA via SMS isn't safe enough, because of SIM swapping and SMS redirecting attacks, see third link. That's why in the future most websites will switch to authentication apps. Hopefully these apps will also run on desktops/laptops/tablets so that we don't need or smartphones for 2FA. And I also hope that more websites will support hardware based security keys in the future, like from Yubico.

    https://doubleoctopus.com/blog/sim-swapping-2nd-factor-authentication/
    https://www.howtogeek.com/668922/how-to-protect-yourself-from-sim-swapping-attacks/
    https://www.theverge.com/2021/3/15/22332315/sms-redirect-flaw-exploit-text-message-hijacking-hacking
     
  21. whatsnext

    whatsnext Registered Member

    Joined:
    Jun 13, 2021
    Posts:
    9
    Location:
    NC
    Thanks for the info! Do you know if there's a list online somewhere of companies with weak 2FA that allows password reset via SMS only?
     
  22. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    If I can't use app 2FA as an option, it is better than nothing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.