2FA over SMS considered harmful
der.hans
PLUGd at LuftHans.com
Wed Jul 27 00:13:21 MST 2016
moin moin,
I've been recommending for years that web sites should not be given your
phone number for 2 factor authentication. First of all, they don't need
your phone number :). Secondly, it's not secure.
Now the NIST agrees.
https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=sfgplus&sr_share=googleplus&%3Fncid=sfgplus
See also the following.
https://danielpocock.com/how-many-mobile-phone-accounts-will-be-hijacked-this-summer
If you're setting up a service to use 2FA, please do not include SMS as
one of the options.
ciao,
der.hans
--
# http://www.LuftHans.com/ http://www.PhxLinux.org/
# So much shiny, so little time. -- der.hans
More information about the PLUG-discuss
mailing list