I wish someone could tell me how bad is SMS for 2FA in reality, because every time I hear about it it's worded as if someone could gain access to your account JUST by stealing your SMS, which is exactly what TWO factor authentication would prevent from happening.
I've been under the impression a lot of scary articles about it are talking about single-factor recovery methods that use SMS, such as password reset systems.
I also think it's weird how e-mail never seems to be counted as a form of 2FA. If everyone used e-mail as 2FA, then I'd only need to secure my e-mail account.
If my passwords are saved locally in my computer, isn't the computer "something I have"? Holding a phone number in a complex system of telephony is the most weird "something you have" you could come up with.
You've basically backed into the logic of passkeys as well. It's all about _provably_ having the thing you have. Basically everyone is storing their passwords on their computer anyway, if at all, so the computer is the thing they have. Why not make that the factor instead of a string?
>Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.”[1]
Hmmm... is THIS the vectors people are considering when they make these things? I mean, it makes sense, but it does put it a whole different perspective.
Am I correct to think that these aren't real problems if you use passphrases instead of some cliched password?
Because you can steal my phone and get through the lock screen to access all my stuff with the passkey, but you can't get my master password out of brain lest you put a probe in it.
Passphrases and a browser extension, basically. The Passphrase can still be stripped off the wire and used later while passkeys are phishproof and single use.
As someone working in telecom, we often hear customers telling us that their bank account has been wiped clean. How did they get there? Sim swap. A bad actor manages to transfer the phone number into a sim card they control.
Now they have potential access to all accounts where you use 2FA.
But that's just one of the FA's? In fact you could argue any 2FA account is 3FA.
For example, to break into John's account at bank dot com you need to know:
1. John's username.
2. John's password.
3. The code the bank sends to John's SMS.
I guess for a lot of extremely important things the username is public information, so that one is easy to get, but you still need the password besides the SMS.
Where are these bad actors getting the users' passwords from?
It seems you already need to have a leaked password for this SMS attack to mean anything, which I assume isn't something that happens very often. From how often I heard about SMS 2FA being bad, it sounds like it's worse at locking your account than 1FA, and that's what doesn't make sense to me.
