On Mon, Jan 18, 2021 at 9:53 AM Alvin Starr <alvin@xxxxxxxxxx> wrote: > > On 1/18/21 10:17 AM, o1bigtenor wrote: > > On Mon, Jan 18, 2021 at 1:33 AM Gabriele Bulfon via Info > <info@xxxxxxxxxxxxxxxxxx> wrote: > > Sometimes your customer ends up in a situation where stolen passwords allow the thief to redirect bank transactions and loose a lot of money. > The stolen password may even be strong, but any other kind of phishing technique has revealed it to the thief. > > A 2FA or any other kind of "device authorization" may protect you further. > > Thank you for using the word 'may'! > > Have been doing some more research and using a SMS message as part of > a 2FA is considered not > only the poorest of security options but it is suggested that such use > may actually decrease security. > Using a very poor tool may be even worse than using no tool in my experience. > So far, in my experience anyway, most that use very strong passwords > seem to be quite a bit less > likely to succumb to phishing techniques. > > Multi-factor authentication is better than single factor authentication. > You can dispute how much better but n (always)> 1, where n is > 2. > > You may be immune from phishing techniques but nothing will help when your service provider loses your password data. > > To rip comments from the ACM article I posted earlier. > > > Despite their popularity and ease of use, SMS-based authentication tokens are arguably one of the least secure forms of two-factor authentication. This does not imply, however, that it is an invalid method for securing an online account. > > True, there are a number of services that should not be used with tokens delivered via SMS—for example, banking and financial services, cryptocurrency services, and anything containing sensitive financial information, and credit card numbers. Personal email addresses also fall into this category. An email account takeover can have devastating consequences if that account is the cornerstone to the user's online digital identity. > > On the other hand, there are many online services for which SMS-based tokens do suffice for the average consumer—for example, any vanilla accounts that store no sensitive or financial information, which attackers could not easily monetize, thereby discouraging them from trying to take over the account in the first place. > > Other variables should be factored into the equation when deciding which multifactor authentication method is most appropriate. The security implications for a social media account for a well-known individual with millions of followers are very different from those for an account with just a handful of followers. Therefore, while using SMS as a second factor of authentication for some social media accounts is perfectly valid, it would be wise to opt for a different method for the account of a celebrity or politician. > > The current security landscape is very different from that of two decades ago. Regardless of the critical nature of an online account or the individual who owns it, using a second form of authentication should always be the default option, regardless of the method chosen. In the wake of a large number of leaks and other intrusions, there are many username and password combinations out there in the wrong hands that make password spraying attacks cheap and easy to accomplish. > Greetings Mr Alvin You are arguing that anything more than a single factor authentication is better than single factor authentication. I would suggest that SMS authentication is so easily hacked and so open to exploitation that such should be considered a negative in the factoring process. The percentage of people in my ken that have had their 'stupid' phones hacked is not low - - - - in fact imo it is far too high. The level of hacked into is largely due to the relative porosity of the system and the network. Then there is the flat out terrible reception (availability) for most rural denizens. Putting even just these two points together means that I don't have to step very far to say that including SMS in a two factor authentication scheme is very very bad planning. In a perfect world this wouldn't be such an issue but when you have likely 90% of the world that used bloody poor passwords (and some just shrug when their 'stupid' phone access gets hacked!!) coupled with the lack of usability in at the very least rural North America this becomes imo a huge issue. Those arguing for its validity don't seem to get the incredible weakness of such - - - - or - - - - maybe they just don't care. (I would have snipped some of the previous but felt that all needed to be included for understanding.) Regards ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T270ab79574d5f63e-M25ac2e93c3e3bd5f530af93e Delivery options: https://cyrus.topicbox.com/groups/info/subscription
