undefined | Better HN

0 pointsensignavenger4y ago0 comments

Coinbase and other sites (especially those that deal in money) should stop using SIM cards as a form of authentication. While carriers should probably do more to secure SIMs and phone #s, it has always been known that the system was never designed to be used as a security mechanism, and Coinbase using it as such is a security flaw that they are responsible for.

0 comments

Consultant324524y ago

Okta architect here. It's hard enough getting MFA to work in a large organization where technically illiterate people are surrounded by coworkers to ask who have all figured out their RSA tokens or Okta Verify enrollment. Trying to manage this for the general public would be an incredible undertaking.

The cost benefit analysis probably does not make sense for a gazillion low balance users. It may make sense to enforce strong factors for high balance users. You have to balance that against them taking their business elsewhere.

bonzini4y ago

In Europe all banks are using 2FA, and it's usually based on TOTP (and enrolling the first phone is a pain usually requiring QR codes and whatnot). 17 years ago some were using smartcards as 2FA. It's doable and secure, to the point that identity theft is almost unheard of (and usually used more as a synonym of catfishing than in the American sense).

SMS is handy but it should be a last resort rather than the main second factor.

jkepler4y ago

I bank with a major European bank, and they still rely on SMS for 2FA for every online transaction, except for logging into their website. They offer 2FA through their app, but that only works with iOS or Android with full Google Play services---for non-Google folks running LineageOS or /e/ OS, they're stuck with SMS 2FA.

trelane4y ago

If you can use sms as a factor, you can use sms as a factor. The only way to win is not to play at all

1 more reply

Spooky234y ago

This. Nerdy people don’t understand how much people struggle with this.

RSA enrollment is probably the single most challenging end user issue our IT folks deal with. After password reset it’s the #2 call, and lots of time, training and engineering effort has been expended to improve the experience. (And those efforts were very effective!)

wpietri4y ago

So to sum up, an organization promising to take people's money and keep it safe can't afford to do it except for people with a great deal of money. However, they're still going to accept smaller amounts of money. Did I get that right?

Consultant324524y ago

Depends on how you define "keep it safe". If I give you $100 to keep safe, I don't care how many times you get robbed as long as I get $100 back when I want it. If I can get my money, it's safe.

abecedarius4y ago

When I went looking for an online brokerage in the USA with a reasonable login process (i.e. 2FA, not by SMS ever) it seemed pretty hard to find one. (Maybe that's changed?) These brokerages handle amounts much greater than a software engineer's retirement savings.

3 more replies

edoceo4y ago

Unfortunately, yes.

ufmace4y ago

A decent point. It scares me to imagine all the security checks that would be required to make SMS actually secure against these kind of attacks, and then getting everyone to actually follow them.

ensignavengerOP4y ago

Then we need to do a better job making the UX easier. I'm sure Okta is working on that?

Consultant324524y ago

I feel I should clarify, I do not work for Okta, but play the role of Okta architect on TV.

j / k navigate · click thread line to collapse

0 comments

Consultant324524y ago

bonzini4y ago

SMS is handy but it should be a last resort rather than the main second factor.

jkepler4y ago

trelane4y ago

If you can use sms as a factor, you can use sms as a factor. The only way to win is not to play at all

1 more reply

Spooky234y ago

This. Nerdy people don’t understand how much people struggle with this.

wpietri4y ago

Consultant324524y ago

Depends on how you define "keep it safe". If I give you $100 to keep safe, I don't care how many times you get robbed as long as I get $100 back when I want it. If I can get my money, it's safe.

abecedarius4y ago

3 more replies

edoceo4y ago

Unfortunately, yes.

ufmace4y ago

A decent point. It scares me to imagine all the security checks that would be required to make SMS actually secure against these kind of attacks, and then getting everyone to actually follow them.

ensignavengerOP4y ago

Then we need to do a better job making the UX easier. I'm sure Okta is working on that?

Consultant324524y ago

I feel I should clarify, I do not work for Okta, but play the role of Okta architect on TV.

j / k navigate · click thread line to collapse