Am 27. Jul, 2016 schwätzte Eric Cope so:

moin moin Eric,

> Given the SMS 2FA vs. standard password, it seems foolish to NOT use the
> SMS 2FA. There's no such thing as absolute security. SMS 2FA is more secure
> than the current alternatives.

Because they should be using a non-SMS system if 2FA is required. Non-SMS
is actually easier and more reliable.

It does, however, require more capability on the client side since the
user will need to install an application.

SMS adds my phone as an attack point. I would rather not have that. I also
don't want companies to have my phone number. They don't need to call me.

I can use sufficiently long and complex passwords ( if the site allows me
to ). I do not need or want phone calls from most companies I do business
with.

Here's a 4 year old article on setting up apache to use Google
Authenticator, so there seems to be at least one option :).

http://www.techrepublic.com/blog/australian-technology/pairing-apache-and-google-authenticator/

ciao,

der.hans

> What am I missing?
>
> On Wed, Jul 27, 2016 at 12:13 AM, der.hans <PLUGd@lufthans.com> wrote:
>
>> moin moin,
>>
>> I've been recommending for years that web sites should not be given your
>> phone number for 2 factor authentication. First of all, they don't need
>> your phone number :). Secondly, it's not secure.
>>
>> Now the NIST agrees.
>>
>>
>> https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=sfgplus&sr_share=googleplus&%3Fncid=sfgplus
>>
>> See also the following.
>>
>>
>> https://danielpocock.com/how-many-mobile-phone-accounts-will-be-hijacked-this-summer
>>
>> If you're setting up a service to use 2FA, please do not include SMS as
>> one of the options.
>>
>> ciao,
>>
>> der.hans
>> --
>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>> #  So much shiny, so little time. -- der.hans
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>

-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Nobody grows old merely by living a number of years.
#  We grow old by deserting our ideals.
#  Years may wrinkle the skin, but to give up enthusiasm
#  wrinkles the soul.  -- Samuel Ullman