You might have difficulty reading entire comments.
Yes, SMS 2FA will fail against a sophisticated and targeted attack. It is still drastically better than NO second factor, which is the actual comparison in the real world. There are people without smartphones. There are people without the ability to install/use a TOTP app. My aunt can either use SMS 2FA or nothing. 2MS protects her pretty well against 95% of the types of attacks she's likely to face.
Which part of your comment do you think I failed to read?
Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
Your claim is "Because most customers, most of the time, are not under a targeted or even semi-targeted attack."
On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
>>Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.
>>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.
>>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
> If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
A substantial proportion of your customers' email + password pairs have been leaked before they sign up with you. Email and phone are already paired from data brokers, you don't need the dump.
A majority of SaaS providers and banks fail to check for previously leaked creds. Many of the same ones that think SMS is "perfectly good".
Is your bank one of the ones that uses email addresses for usernames? Because that's a great way to make it much easier for attackers to match up leaked creds. Consider switching to a (chosen) username or card number or something. If your username is quickly matched to a phone number (or email address) it makes phishing (or account takeovers) much easier.
> On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
Are you implying there's automated SIM swap attacks in the wild ? Or, maybe you are saying SMS can be phished ? I do agree SMS 2nd factor can be phished, but if phishing is the attack, password leaks is irrelevant since, you usually phish both passwords and SMS 2nd factor together, so password leaks don't make any difference.
Yes, SMS 2FA will fail against a sophisticated and targeted attack. It is still drastically better than NO second factor, which is the actual comparison in the real world. There are people without smartphones. There are people without the ability to install/use a TOTP app. My aunt can either use SMS 2FA or nothing. 2MS protects her pretty well against 95% of the types of attacks she's likely to face.