NIST has already been discouraging the use of SMS for 2fa[0], but that apparently won't stop the subset of incompetent IPSec consultants who still recomment SMS based 2fa.
It doesn't stop incompetent dataroom operators either from forcing their users to give them their phone numbers for 2fa purposes.
And there is absolute gold in those datarooms if you know where to look.
Recent offender:
"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "
This after me pointing out that SMS for 2fa is not a good idea.
PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.
Sadly you can easily and trivially bypass the VIP token by providing a credit card number or a few other identifying details. It's worse than the SMS loophole. And another reason why I'm trying to delete my Paypal account. ;-)
Thanks! I didn't realize that was possible either. I just switched my paypal account to use google authenticator instead of sms, which besides being more secure, is much more convenient since I don't get cell reception in most of my apartment and have to put my phone near a window to get the sms.
You can still use Symantec’s VIP (Validation & ID Protection) authenticator app instead of SMS. I just set it up a few moments ago following these instructions:
Paypal also couldn't walk you through a 2FA payment for eBay on mobile. At all. You had to use a desktop. This was about a year or two ago. One would think that a payment company would have better security, especially given they're owned by eBay.
There are also measures that can be taken when using SMS based MFA, via services that check if the SMS is forwarded to a burner phone, or do a SIM check with the phone.
In addition the SMS based MFA services should be leveraging fraud score and number deactivation checks for the target numbers to catch the most obvious fraud scenarios.
Not sure a lot of the companies providing these services actually do that though. And all-in-all, non-SMS based MFA is going to be better anyway.
Because their target markets contain both people who'll gladly spend 50 quid on the latest account security dongle, as well as people who have a Pentium 4 desktop and a 50 quid feature phone. The latter get much more secure when apart from a password, probably on a post it stuck next to the screen, they are inconvenienced to also type in a few digits from SMS.
You are 100% correct. But I'm genuinely curious why institutions such as banks/telcos couldn't spare the resources to offer both SMS 2FA and more secure options for those who do care. I can't imagine it's a matter of technical resources as it wouldn't take much. Is it institutional inertia? technical debt?
Security model of banks is completely different from everything else. They will only consider 2FA if the total calculated cost /to them/ becomes significant if they don't.
...and if they were to offer a more advanced 2fa option, it'd possibly only appeal to a niche of users that wouldn't significant change (improve) their calculated cost?
That's why they probably wouldn't roll out to a voluntary subset on regular accounts.
Tbf, I've had a handful accounts in a few different countries. I've had proper 2FA in most of them (the one I've started with around 2005 uses printed one use codes), SMS codes in one and no 2FA in one.
They also (most likely) include many other, even network packet level checks in addition to primary and secondary authentication. Its not as simple as it looks to the honest end user.
REAL 2fa with SMS is marginally safer (but not much more so), since it requires password and SMS to do anything.
The problem is that nearly every single 2fa setup out there does something radically stupid such as use your 2fa method for password reset, or a combination of 2fa + email. This is horribly, horribly broken and worse than "no 2fa at all." All it takes is a SIM clone to steal your phone #, which you use to reset the email, and then email + phone/SMS can be used to reset nearly every single credential under the sun. The only exceptions are those that use proper 2FA such as one-time password apps -- but not Authy which just syncs your OTP/2fa credentials to the cloud and happily transfers to the cloned device :(
Could you elaborate on why Authy is not safe? In my setup,
1) after adding the devices I wanted to add, I've disabled multi-device (which keeps the existing devices, but prohibits adding new devices),
2) for new devices, it requires a backup password (once) to decrypt the credentials retrieved from the cloud, and
3) IIRC, it requires authorisation from one of the trusted devices to add a further device.
All in all, it seems much better (in terms of the security/availability trade-off) than Google Authenticator. But I've read opinions similar to yours a few times, and I wonder where they come from, whether they've been reasonable in the past, and whether they still are.
How well do you trust the customer service rep at Authy against social engineering? Especially when someone has control over your email, phone, and potentially many other accounts already.
It's certainly safer than only using a password if you use the same password on lots of sites, since the odds of any password database being hacked are higher than the odds of your phone being targeted.
More importantly, a lot of web framework templates using 2FA with an SMS provider will still be around. Of particular note is ASP.NET's template, which is very easy to get up and running with 2FA with SMS/Email.
[0] www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html