@hotkey As good a moment as any to note that banks are directly ignoring #NIST recommendations in using #SMS2FA

https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

2-Factor Authentication App "Authy". Same App (Cloud) for many devices and OS.

https://authy.com/

SMS 2FA #SMS2FA #2FA #2factorbypass #2factorauthetification #Authy

@ScriptFanix @BernetaWrites Yeah, that's been a suspicion with the #SMS2FA cancellation with no plans to explain how to switch to other safer authenticators & no care for the issues of just leaving accounts with only single-factor authentication.

Automated bots sitting on cracked lists of leaked passwords & reaping those accounts the second SMS2FA goes out.

@dalias @erincandescent @mjg59 There are additional problems with #SMS2FA even when done properly.

#NIST has commented on it.

https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

https://mastodon.top/@lispi314/109887107613102438

Daily reminder that #SMS2FA is such a bad idea that even #NIST agrees it shouldn't be used and is deprecated: https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

https://www.theregister.com/2016/12/06/2fa_missed_warning/

#SMS #2FA #MFA #MultiFactor #MultiFactorAuthentication

@mastodonmigration

🗑️#SMS2FA 🚮 #FreeTwitter 🚮🗑️

@toomas_ilves why you would even pay to use such a weak form of #2fa is over my head.

I personally removed #sms2fa from all websites after realizing my sim and account were connected to my family, and family members fell for scams and social engineering phising.

#authenticator apps and #hardware keys such as ubikey are the only way to go.

@Torchwood Huh that's weird, it's working on my end. Well, in any case it's just a short statement by myself about #TOTP > #SMS2FA and a link to #NIST as a reference: https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

@remi @cstross Refusal to learn from the past is responsible for a lot of the current issues.

Some of it wasn't even just refusal, but trivialization of the problems too as inconsequential.

I think part of it has to be addressed in education going forward.

Also the mentioned continued use of #SMS2FA deeply annoys me. It should be criminal for any business to do so at this point.

https://mastodon.top/@lispi314/109812891458783440

@matthew_d_green Some password managers, namely #KeepassXC can handle 2FA.

That does technically reduce it to single-factor but anyway, still an option. Adding isolation #Qubes style is probably a good idea to prevent easy compromise .

Regarding #SMS2FA, I've taken to reposting this when someone mentions it: https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

#SMS

@glyph I do need to highlight that #SMS2FA is insecure and basically worthless.

https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network

#TOTP is a much better scheme.

So it's not just a lack of more robust authentication, it's also just pure neglect in avoiding what's currently considered bad practice by many service providers.

#SMS #2FA

@eevee I've no particular love for #NIST but even they recognize #SMS2FA is a terrible idea.

Email is barely any better.

https://pages.nist.gov/800-63-3/sp800-63b.html#-5133-authentication-using-the-public-switched-telephone-network