Not a good idea to use sms in MFA

Here’s a good article if you still use SMS as a part of multi factor authentication.

1 Like

Less about SMS as a 2 factor, more about checking to make sure the two parts were from the some user.

Put differently, Box not only did not check whether the victim was enrolled in an authenticator app-based verification (or any other method barring SMS), it also did not validate that the code entered is from an authenticator app that’s actually linked to the victim who is attempting to log in.

But it does make you wonder how many other places are neglecting the same thing.

Totally agree, security is only as good as its implementation!

Unfortunately, Bank of America and Synchrony (Amazon) only makes me use SMS for 2FA. Banks do not care about app-based SMS.

Actually now you mention it I do have an internet based account which uses sms, though most of the UK banks use a hardware based code generator.

banks (at least my) has their own apps for phones. those aps are sometimes used as 2FA.
that quite OK but :

  1. I have /e/ OS flashed on my phone and banks app are not in app store (probably those apps are working only on google android)

  2. if you have more different accouns (not only banks, but different services) then you need for each service their specific app

I think that it is necessary that online service must have at least 2FA and you can used e.g. authy or U2F and you could used hardware key e.g. yubico.
Hope it will become standart.

Yeah I do agree having 2FA in Authy (I use KeePassXC) is super handy, very easy to backup. Those hardware keys such as yubico are still pricey when you need a few for backup.

I’m still a dinosaur, using a virtual machine running Linux to access my bank accounts. I don’t trust my android phone as I have no idea what it does most of the time. But it’s the future for this generation.

1 Like