Reminder: SMS 2FA adds only a negligible amount of security, if your company does 2FA via SMS you're doing nothing more than lulling your users into a false sense of security. Don't do it. Support proper 2FA. (And while you're at it, allow your users to decide how much they care about their account. Don't make the decision for them.)
> Reminder: SMS 2FA adds only a negligible amount of security
I would disagree. Obviously, there are better approaches, but consider basic password auth on desktop, that is easily exploitable en masse by botnets. if you add 2FA via SMS, you would need to exploit both devices (or attack SS7, transfer number or some other trick) and match infos from these devices. Can be done in targetted attack, but harder in en masse botnet attacks.
Congratulations, you've spotted the negligible amount, which I explicitly said was negligible, as opposed to zero. Just because something has some benefit does not mean that benefit is greater than the costs.
Printed/saved backup codes are still an option. Can also attach multiple 2FA tokens to one account. That's what Google and many others provide. Their customers seem satisfied.
That is false. Many incidents have been widely reported where huge names, who certainly could afford even a $50 hardware token to protect their reputation/brand, were 'hacked' because they thought SMS 2FA protected them - and it didn't. Even with services which do also offer TOTP or U2F etc.
I use Authy app which performs encrypted backups to the cloud and verifies regularly that I can still remember the passphrase. I have never lost a TOTP token this way.
I've never encountered this. All of my 20-something 2fa tokens I could recover with processes ranging from making videocalls to identify myself to getting a 24 hour slot in which all but the 2fa reset was locked.
I’d be curious to know which services are confirmed to have solid 2FA reset practices (i.e., you can do it if you lose your keys; no one else can do it).
These would probably be smaller businesses that earn their revenue directly from paying customers (and would lose if you give up and cancel your card/block their transactions)—I can’t imagine this ever working for ad-driven whales like Google or Facebook, or large corporations to whom you’re small fish and need them more than they need you.
Also, it’ll be interesting to see how 2FA reset options evolve in near future. A 24-hour slot to reset only 2FA, for example, looks like a valid attack vector. Also, I suspect deepfaking videocalls won’t be out of reach of a dedicated but average attacker for long.
> I can’t imagine this ever working for ad-driven whales like Google
Google was one of those that offers account recovery[1], but has it fully automated. I did not need it, because Google urged strongly to create backup tokens. I had those in my encrypted backup.
Focusing too much on what can go wrong is unproductive. I could also steal your iPhone, or force you to reveal a 2fa token using the Rubber Tube Decryption method.
There is no such thing as 100% security. And certainly not if it needs to be balanced against some real-world-ease such as "recovering after you dropped your iPhone in the toilet".
The 24hour recovery slot was at my cloud VPS service from which I got a bazillion warning mails. "your 2fa will be disabled in 48 hours, did you not initialize this, click here to ...".
The least secure was at my bookkeeper's online portal, where I could call them over the phone, offer some simple verification and have 2fa disabled. That does not remove my trust in them, because 1) it is an account that needs less security than e.g. my AWS account, and 2) they do know me personally and I them. It actually makes me trust them more because I know they are there for me when I need them.
there can at least be a notification and a delay, so I have 12-48 hours to respond if I get an emergency alert that my service is about to be deactivated
SMS 2FA is, at best, just adding a little hassle for the hacker. If it's not a targeted attack, there's a chance that the extra effort means they'll move on, but that won't stop any remotely determined hacker.
I'm not sure it's better, at least not in all cases. If you can reset your password or login without password using SMS, and you had a strong password, it could be worse.
I agree it's def better than nothing. But I think most end users think 2FA SMS is the equivalent of hiring an armed security guard at your door, not when it's really the equivalent of putting an ADT sign in your front lawn from amazon.
