On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel@beckman.org> wrote:
SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
Mel, That Schneier article is from 2016. The 3/2020 update to the NIST recommendation (four years later and the currently active one) still allows the use of SMS specifically and the PSTN in general as an out of band authenticator in part of a two-factor authentication scheme. The guidance includes a note explaining the social engineering threat to SMS authenticators: "An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker." https://pages.nist.gov/800-63-3/sp800-63b.html#63bSec8-Table1 The bottom line is that an out-of-band authenticator like SMS is meant to -enhance- the security of a memorized secret authenticator, not replace it. If properly used, it does exactly that. If misused, it of course weakens your security. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/