The problem is with most online services, the only second factor allowed is SMS.

If you see it as "don't bother, they can just steal your SMS number" instead of "that's slightly better, at least now they can't get in without stealing my number" then you're not thinking about this reasonably.

It's inane to neglect to use SMS where it's the only second factor available. The exception is when a service allows you to use SMS alone for password resets, which isn't MFA, is 1FA with a weaker factor than a password.

What would you think if someone took you for a joyride in a classic car and said "shoulder belts would be so much better than these lap-only belts, so don't bother buckling up!"

SMS is the only "second factor" that you can't control at all, your phone number can be changed from the phone company at any point, disabled, or suddenly refuse to work in a foreign country (all of those three happened to me).

For those reasons, even as a second factor it's a terrible one. SMS is just not a good method of authentication at all and has no place in a login form.

At it's best, SMS is only useful as a read-only notification system for non-sensitive purpose.

Basically every service I've used that requires SMS will use it as the sole authentication factor for resetting your password.. It's brutal

I didn't say it was worse than just password, I said it was a bad second factor, which it is.

SMS 2FA was vaguely reasonable before TOTP applications and smartphones capable of running them were widely available. That's no longer the case.

What's the recovery process when your phone gets stolen, or you drop it?

For me, for TOTP, I use one that backs up to iCloud. that obviously weakens the security, but increases the availability.

With some applications, you can add additional devices, so you can add multiple, if you have 'em.

A bad second factor is better than no second factor.

I enabled TOTP on every account I have that supports it, which comes to about 2 out of every 5 services. I'm not going to leave the other 60% with only one factor just because SMS can be exploited, which the consensus in this thread seems to be advising everyone to do.

If someone can exploit your SMS, it's possible they can use that to social engineer their way into a password resets with services. (I forgot may password but I still have my phone.) So I would say a bad second factor can be strictly worse than no second factor.

You're describing single factor, not two factor. If you can change the password with SMS alone, it's not multi-factor. I plainly stated that exception two comments ago.

Except you have no way of knowing if that will be the case ahead of time. Unless the first thing you do after enabling 2FA is to social engineer a password reset for your account? Even then that doesn't guarantee that there isn't a more clueless service rep that will make a mistake.

Asking before you sign up, "will you allow my account to be hacked through social engineering?" isn't going to an answer other than no. Even if the answer is possibly yes.

But then let's please move the discussion from "Is SMS a good or bad second factor?" to "SMS is a mediocre second factor, and a terrible single factor. For this service, is it a second or single factor?"

You're incorrectly assuming that you can predict a site will never allow password reset via SMS only.

You can check if they appear to allow it today. Not perfectly, as they may have multiple variants and depending on other factors you might get presented with one or the other.

But you have no way to predict if next month a PM there decides their current password reset was too cumbersome and they change it to SMS-only. If you had a phone# on file, you're now suddenly vulnerable.

others may have suggested that, I did not :)

> TOTP or hardware tokens don't generally suffer from the same problem.

But how many hardware tokens or TOTP tokens are users willing to deal with? I currently have eight for various clients and systems at work. If each online account required a TOTP token or a custom hardware token it would be a confusing mess of tokens.

I don't know if there's a safe and easy way of reusing the same token across sites. Until then SMS really is the only "solution".

It is safe to use the same U2F token for many sites, that's not an issue. Having a backup token is very useful, but apart from that, a single hardware token (not custom - standards are good) can easily be used to secure all your accounts.

The only thing I wish is that more sites support multiple tokens, since tokens can get lost.

If you only support one token but have an easy recovery procedure, that opens up loopholes. If you support multiple tokens, allow the user to de-activate one token from another token, and make recovery difficult, that's much more secure.

Again, other than AWS which "more sites"?

Dropbox, Facebook, Google, GitHub, GitLab, even Login.gov works fine with multiple tokens.

More sites should do WebAuthn (you should not do greenfield deployments of U2F today, WebAuthn is the standard). Yes, AWS should fix their feature but that shouldn't block the next ten would-be Unicorns from doing WebAuthn.

Twilio, Kraken, Paypal, Gusto, Bittrex, Coinbase, ...

But none of these support U2F or WebAuthn at all. The problem isn't that they need to support "multiple" tokens except in the sense that they don't support any at all.

They all support TOTP and some (such as Kraken) support U2F.

Point is whether it's U2F or Web'n'Auth or TOTP they need to support multiple keys.

Kraken's own support site says that they do not in fact support U2F.

https://support.kraken.com/hc/en-us/articles/360001363963-Yu...

It doesn't make sense to try to "support multiple keys" for TOTP. You can copy-paste TOTP seeds if that's what you want and feel comfortable with, if the site tries to allow you to use any of N seeds they not only increase their system complexity they also reduce their security by a factor of N which makes no sense.

Edited to add: OK, Coinbase does now have U2F and they clearly state you can use "a maximum of 5 keys" which feels like that's enough.

Assuming that the sites allow you to change the token manually?

I've never seen a site that didn't have at least this.

Usually you get a UI where you can add new ones and remove old ones, and when you add a new one you name it in their UI so that you can tell it apart from any others.

TOTP is phishable, which is a way way way more common attack than sim swaps.

Sure, no security measure is perfect. Hardware tokens are likely to have better properties than TOTP, which has better properties than SMS, which has better properties than nothing.

you can phish SMS exactly the same way you can phish TOTP, I'd say :)

TOTP is marginally safer than SMS.

It also comes with large downsides. Security is an economics game. Marginal improvements in security posture are not always worth the cost.

There are a bunch of people who insist that web services should drop SMS completely and demand that all users use TOTP (at least). I question the value of this change given that TOTP only protects you in comparatively rare cases.

phishable how? "your account has been hacked, please provide us a TOTP code"?

1. Somebody loads fakebank.com.

2. It pops up a username/password screen. The user types in their credentials for realbank.com.

3a. The owners of fakebank.com use your creds to log in to realbank.com and are presented with a TOTP page.

3b. fakebank.com loads another page that asks the user for their TOTP. The user enters it, still thinking they are logging in to realbank.com

4. The owners of fakebank.com use the TOTP to authenticate as the user with realbank.com.

Entire SDKs to automate this are sold on the black market.

This is certainly a vulnerability, but it also depends on how you get your TOTP codes. I use Bitwarden's browser extension to get mine, and if the domain is incorrect, the extension won't present me with the code. I think this is a decent level of protection from phishing.

I encourage you, as an exercise at least, to think about what you'll do when it doesn't work.

You're sure this is the right web site. But Bitwarden won't fill out the code. What could be wrong? Did the idiots who make this web site change the URL?

Now, maybe you're a far above average user and you would calmly determine the exact cause, assuming at every step that the most likely explanation is you're being phished. Hopefully that's more likely now that you've done this exercise. I would love to believe I'm in this category.

But most users will just be frustrated, why wasn't it filled out? Is there a way to get the code from Bitwarden anyway? There is, it's a bit fiddly but you can do it. Lots of users are going to do that. They might even help each other to give their credentials to bad guys, community spirit.

Hopefully some of those users pause because this is unusual and a few of them will realise in that moment that they're being phished. But experiments suggest most won't.

I did consider this, and I would also like to believe that my first thought would be "I am being phished" rather than "I'm sure this is the right web site." I do understand that many users (including myself on a bad day) might not recognize a phishing situation. But at least there is a layer of defense that SMS doesn't have.

Maybe the Bitwarden extension should warn users when they try to copy/view a TOTP code by searching for a login rather than using a matched entry.

U2F is my preferred method of MFA, but many services don't support it, and there can be practical issues even for the ones that do. For example, some services support U2F in a browser but not in mobile apps.

Couldn’t this entire scenario play out exactly the same with SMS codes?

TOTP is far, far better for travellers who need to swap their SIM cards frequently, or need to work out of places with internet access but no cell reception.

Sure. I'm not opposed to supporting it. It is just weird to me to see people pushing for it with seemingly equal vigor as U2F.