2FA over SMS considered harmful

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: quatsch
Subject: 2FA over SMS considered harmful
moin moin,

I've been recommending for years that web sites should not be given your
phone number for 2 factor authentication. First of all, they don't need
your phone number :). Secondly, it's not secure.

Now the NIST agrees.

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=sfgplus&sr_share=googleplus&%3Fncid=sfgplus

See also the following.

https://danielpocock.com/how-many-mobile-phone-accounts-will-be-hijacked-this-summer

If you're setting up a service to use 2FA, please do not include SMS as
one of the options.

ciao,

der.hans
-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  So much shiny, so little time. -- der.hans
---------------------------------------------------
PLUG-discuss mailing list - 
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss