

Ask HN: Why not send an email instead of SMS for 2 factor? - zaroth

When I&#x27;m logging onto a site on my phone, and I get a 2-factor SMS, it&#x27;s great... the code just shows up at the top and I can type it right it.<p>But most of the time I&#x27;m getting a 2-factor text, I&#x27;m at my desktop. I think an emailed code would serve much the same security benefit and potentially be more convenient.<p>You could even let the user chose if they wanted to receive it via email or text each time they&#x27;re challenged.
======
patio11
It doesn't share the same security benefit. "Prove you can access an email
address" is sufficient to reset someone's password, which collapses your 2FA
into single-factor authentication. That is problematic because people lose
Gmail accounts _all the time_ , typically because users, in aggregate, suck at
password management. For every 100k accounts PasteBin'ed due to insecure
practices at a random startup or web bulletin board, another 500 or 1000 gmail
accounts get compromised.

------
iSloth
SMS is preferred as the technology is fairly decoupled from internet services,
for example it's more than likely that a number of people have exactly the
same password for service XYZ, as they do for their eMail service. So it's not
really providing that much more security than single factor, just another hoop
for the hacker to jump through.

Even if your not stupid enough to use the same password for both services, you
might still be susceptible to key loggers, malware etc... meaning again that
SMS would be a better option.

It's fairly easy to forge an SMS originating number to make a text message
look like it's from someone else, however 2-factor generally is sending
(terminating) a text message to a known number, this is much more secure.

It's almost impossible to intercept a terminating SMS, this is down to how SMS
are routed over mobile networks and the SIM card registration process.
Basically you would need the private encryption keys of the mobile operator to
clone the SIM card and create a fake registration for that number, or
'root/admin' access to the current network that subscriber is on.

------
amarcus
What if somebody has compromised your email account and want's to take over
your bank account. They do a password reset and the 2F is sent to the same
address that is compromised. Not very safe.

Same thing can happen with a phone but, usually, when someone has their phone
stolen, it gets quickly reported and disabled. When your email is compromised,
you may not know about it and even if you do, how long will it take to disable
the account or recover it?

------
bifrost
Pro-Tip: Neither are secure.

Using Email or SMS are equally bad and frankly its actually easier to send a
fake SMS. That said, its contextual and SMS is usually faster, especially if
you use gmail/etc.

Without an actual OTP or TOTP token, its basically just window dressing. And
to be completely real, I'd worry more about an exploit of the site's code than
any sort of 2FA issue.

~~~
zaroth
Yeah, and at least email has a decent 'from' field which might even have some
authentication behind it. So it seems like it might be a good place to get the
2FA...

------
dholowiski
If you're in to bitcoin mining at all, you see something like this a lot - 2FA
to sign in, and email authentication/confirmation when you want to transfer
coins. I also built a site a while ago that used email as 2FA, it worked just
fine.

Honestly, I think it's not being used because it's not sexy.

