undefined | Better HN

0 pointsphilnash6y ago0 comments

I’m actually paid to say that too ;) . In fact, SIM swapping isn’t the only weakness of SMS, take a look into the SS7 network and how that allows for a rogue operator to redirect SMS messages too.

At Twilio, we have APIs for two factor authentication and we recommend implementing via push notification to the Authy app with “approve” and “deny” buttons. This is more secure and a better experience than SMS. The API also allows for regular app based 2FA, with a TOTP code, which is more secure than SMS. But it also allows you to fallback to SMS, which is still more secure than no 2FA.

You do have to consider the threat model for your own application when considering these sort of security measures. If the value of an account takeover is high then a targeted attack can, and will, break SMS 2FA. Which is why the Twilio 2FA API allows you to turn off SMS 2FA if you choose.

Ultimately I’d prefer SMS over nothing when it comes to 2FA, but I also encourage developers to use more secure options that can also have a better experience.

0 comments

sneak6y ago

> Ultimately I’d prefer SMS over nothing when it comes to 2FA

This isn't always a good setup. Frequently implementors use SMS, once set up for 2FA, to do password resets.

This means that it's actually 1FA - get the sim, and you're in. No password required.

philnashOP6y ago

Absolutely correct, I've even given talks on this. Check out slide 52, I think we're in strong agreement here: https://speakerdeck.com/philnash/2fa-wtf-at-pycon-singapore?....

I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.

If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.

latchkey6y ago

SMS 2FA isn't more secure than just a password. It actually opens up holes.

When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

1 more reply

jxcl6y ago

If you allow fallback to SMS instead of TOTP, your solution may be more secure than no 2FA, but it’s no more secure than SMS either.

philnashOP6y ago

But as I said towards the end of the previous comment, if you deem the threat to your users great enough that targeted SMS attacks are a problem, you can turn off that fallback.

j / k navigate · click thread line to collapse

0 pointsphilnash6y ago0 comments

Ultimately I’d prefer SMS over nothing when it comes to 2FA, but I also encourage developers to use more secure options that can also have a better experience.

0 comments

sneak6y ago

> Ultimately I’d prefer SMS over nothing when it comes to 2FA

This isn't always a good setup. Frequently implementors use SMS, once set up for 2FA, to do password resets.

This means that it's actually 1FA - get the sim, and you're in. No password required.

philnashOP6y ago

Absolutely correct, I've even given talks on this. Check out slide 52, I think we're in strong agreement here: https://speakerdeck.com/philnash/2fa-wtf-at-pycon-singapore?....

I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.

latchkey6y ago

SMS 2FA isn't more secure than just a password. It actually opens up holes.

Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.

I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.

1 more reply

jxcl6y ago

If you allow fallback to SMS instead of TOTP, your solution may be more secure than no 2FA, but it’s no more secure than SMS either.

philnashOP6y ago

But as I said towards the end of the previous comment, if you deem the threat to your users great enough that targeted SMS attacks are a problem, you can turn off that fallback.

j / k navigate · click thread line to collapse