undefined | Better HN

0 pointsToo2y ago0 comments

SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.

0 comments

The_Colonel2y ago

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

TooOP2y ago

Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.

didntcheck2y ago

Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)

eganist2y ago

> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

j / k navigate · click thread line to collapse