>>Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.
Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.
>>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.
>>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
> If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.
A substantial proportion of your customers' email + password pairs have been leaked before they sign up with you. Email and phone are already paired from data brokers, you don't need the dump.
A majority of SaaS providers and banks fail to check for previously leaked creds. Many of the same ones that think SMS is "perfectly good".
Is your bank one of the ones that uses email addresses for usernames? Because that's a great way to make it much easier for attackers to match up leaked creds. Consider switching to a (chosen) username or card number or something. If your username is quickly matched to a phone number (or email address) it makes phishing (or account takeovers) much easier.
Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.
>>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.
In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.
>>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.
If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.