Originally published at: https://boingboing.net/2019/06/10/use-2fa-apps.html
…
SMS is not for security. Trying to use it for security just introduces a weakness in your system.
At best SMS verification is useful for making it more difficult for bots to create masses of accounts on your system. Any use beyond that is counterproductive. Definitely don’t offer it as a means of verification on your support portal. Most account takeovers occur through the helpdesk.
Clicked because I read “SM-swapping”. Am disappoint.
Posted on another topic/thread already: bank recently informed me they will fade out SMS TANs. They are selling specialised equipment to read flicker codes, or you can use their app to ID via biometrics. Tried the latter, and it de-registered my device twice already. Registration involves being sent an activation code via mail.
I still question their decision to get rid of TAN lists, but then, I am glad they did accept that SMS is a shitty second factor…
This topic was automatically closed after 5 days. New replies are no longer allowed.