<div dir="ltr"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">this is 100% true, If you are using a service like google voice for SMS, then this is technically a vulnerable service potentially. in addition even traditional services can have a vulnerability. Some social engineering, a new sim card activation, and poof you now have their SMS coming to your device for 2FA.</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">MS only uses the phone number to verify the device your 2FA app is installed on. once done then it uses an encrypted process. Google is even a touch more cryptic as their process is not automated, you have to scan a QR code or enter a string of digits to set the algorithm.</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">"For now, services can continue with SMS as long as it isn’t via a service that virtualizes phone numbers — the risk of exposure and tampering there might be considered too great."</font><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 8:06 AM, Eric Cope <span dir="ltr"><<a href="mailto:eric.cope@gmail.com" target="_blank">eric.cope@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Given the SMS 2FA vs. standard password, it seems foolish to NOT use the SMS 2FA. There's no such thing as absolute security. SMS 2FA is more secure than the current alternatives. <div><br></div><div>What am I missing?</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 12:13 AM, der.hans <span dir="ltr"><<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">moin moin,<br>
<br>
I've been recommending for years that web sites should not be given your<br>
phone number for 2 factor authentication. First of all, they don't need<br>
your phone number :). Secondly, it's not secure.<br>
<br>
Now the NIST agrees.<br>
<br>
<a href="https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=sfgplus&sr_share=googleplus&%3Fncid=sfgplus" rel="noreferrer" target="_blank">https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=sfgplus&sr_share=googleplus&%3Fncid=sfgplus</a><br>
<br>
See also the following.<br>
<br>
<a href="https://danielpocock.com/how-many-mobile-phone-accounts-will-be-hijacked-this-summer" rel="noreferrer" target="_blank">https://danielpocock.com/how-many-mobile-phone-accounts-will-be-hijacked-this-summer</a><br>
<br>
If you're setting up a service to use 2FA, please do not include SMS as<br>
one of the options.<br>
<br>
ciao,<br>
<br>
der.hans<span><font color="#888888"><br>
-- <br>
# <a href="http://www.LuftHans.com/" rel="noreferrer" target="_blank">http://www.LuftHans.com/</a> <a href="http://www.PhxLinux.org/" rel="noreferrer" target="_blank">http://www.PhxLinux.org/</a><br>
# So much shiny, so little time. -- der.hans<br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</font></span></blockquote></div><br></div>
</div></div><br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button.<br><br>Stephen<br><br></div>
</div></div>