2FA over SMS considered harmful

[Tom Roche]

Hans Kugler[1]
>> web sites should not be given your phone number for 2 factor authentication. First of all, they don't need your phone number :). Secondly, it's not secure. Now the NIST agrees.

So, as if on cue,

Date: Fri, 29 Jul 2016 04:43:49 +0000
From: Social Security Administration <subscription.service at subscriptions.ssa.gov>
Subject: New step to protect your privacy using my Social Security

> Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user.  This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services.

...

> When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number.

...

> Each time you sign into your account, you will complete two steps:

> Step 1:  Enter your username and password.
> Step 2:  Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).

...

> If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account. 

FWIW, Tom Roche <Tom_Roche at pobox.com>

[1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html