
Reddit Breach Highlights Limits of SMS-Based Authentication - dsr12
https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/
======
merricksb
Earlier discussion about Reddit breach:

[https://news.ycombinator.com/item?id=17664301](https://news.ycombinator.com/item?id=17664301)

------
clarkmoody
Given the sketchy password policies of many (most?) websites, _including
banks_ , I have serious doubts that sites will recognize SMS as insecure. The
only options seem to be:

* Don't use services with SMS 2FA

* A burner number for each different service that only has SMS 2FA

* Disable 2FA for that service

------
chomp
They never said how they determined it was SMS intercept. Did a Reddit
employee have their 2FA SMS's go to a Google Voice account that got comped?
Working at a large corporation, I've seen people use Google Voice for their
2FA a couple times.

