Re: 2FA over SMS considered harmful

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMTom Roche at <-
.Mder.hans at ->
Attachments:
Message as email
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
To: plug-discuss, Tom Roche
Subject: Re: 2FA over SMS considered harmful
Am 28. Jul, 2016 schwätzte Tom Roche so:

moin moin,

Wow! That's just wrong even if there weren't any security issues.

They shouldn't require access to a cell phone or access to a pay for use
service.

I hope there are still non-digital forms of interaction.

ciao,

der.hans

> Hans Kugler[1]
>>> web sites should not be given your phone number for 2 factor authentication. First of all, they don't need your phone number :). Secondly, it's not secure. Now the NIST agrees.
>
> So, as if on cue,
>
> Date: Fri, 29 Jul 2016 04:43:49 +0000
> From: Social Security Administration <>
> Subject: New step to protect your privacy using my Social Security
>
>> Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user. This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services.
>
> ...
>
>> When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number.
>
> ...
>
>> Each time you sign into your account, you will complete two steps:
>
>> Step 1: Enter your username and password.
>> Step 2: Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).
>
> ...
>
>> If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.
>
> FWIW, Tom Roche <>
>
> [1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 

-- 
#  http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Intelligence without compassion is a waste.  -- der.hans
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: 2FA over SMS considered harmfulRe: 2FA over SMS considered harmful->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)