2FA over SMS considered harmful

Ed plug at 0x1b.com
Thu Jul 28 22:50:43 MST 2016 

1) yes 2FA is better than only a password
2) yes SMS is not secure and 2FA via SMS is just security theater
3) yes Yubikeys work better and are even more secure in their now "not
free" hardware* but NFC is needed for Android phones and iPhones are
SOL (thx Appl)...  so?
4) U2F Yubikey are $18 and work without disclosing anything - so use
them when not on SuperPhones
5) your authentication at many organizations will require things like
Duo mobile 2FA and you want yob?
also NIST knows this isn't going to be a quick transition - like
dropping cipher protocol SSLv2 etc - sloooww
der.hans - it's called institutionalized for a reason  ;)
*also not java anymore so: tradeoffs

On Thu, Jul 28, 2016 at 10:24 PM, der.hans <PLUGd at lufthans.com> wrote:
> Am 28. Jul, 2016 schwätzte Tom Roche so:
>
> moin moin,
>
> Wow! That's just wrong even if there weren't any security issues.
>
> They shouldn't require access to a cell phone or access to a pay for use
> service.
>
> I hope there are still non-digital forms of interaction.
>
> ciao,
>
> der.hans
>
>
>> Hans Kugler[1]
>>>>
>>>> web sites should not be given your phone number for 2 factor
>>>> authentication. First of all, they don't need your phone number :).
>>>> Secondly, it's not secure. Now the NIST agrees.
>>
>>
>> So, as if on cue,
>>
>> Date: Fri, 29 Jul 2016 04:43:49 +0000
>> From: Social Security Administration
>> <subscription.service at subscriptions.ssa.gov>
>> Subject: New step to protect your privacy using my Social Security
>>
>>> Starting in August 2016, Social Security is adding a new step to protect
>>> your privacy as a my Social Security user.  This new requirement is the
>>> result of an executive order for federal agencies to provide more secure
>>> authentication for their online services.
>>
>>
>> ...
>>
>>> When you sign in at ssa.gov/myaccount with your username and password, we
>>> will ask you to add your text-enabled cell phone number.
>>
>>
>> ...
>>
>>> Each time you sign into your account, you will complete two steps:
>>
>>
>>> Step 1:  Enter your username and password.
>>> Step 2:  Enter the security code we text to your cell phone (cell phone
>>> provider's text message and data rates may apply).
>>
>>
>> ...
>>
>>> If you do not have a text-enabled cell phone or you do not wish to
>>> provide your cell phone number, you will not be able to access your my
>>> Social Security account.
>>
>>
>> FWIW, Tom Roche <Tom_Roche at pobox.com>
>>
>> [1]:
>> http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
> --
> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
> #  Intelligence without compassion is a waste.  -- der.hans
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list