SMS 2FA is better than nothing if, and only if, you don't allow password resetti...

CiPHPerCoder · on Oct 17, 2019

TOTP is better than SMS in that it's secure with fewer caveats.

Why am I being downvoted?

I'm literally willing to volunteer days of my time, unpaid, to prevent SMS 2FA in favor of something more secure (i.e. TOTP).

RKearney · on Oct 17, 2019

> Why am I being downvoted?

I can't speak for all of those who downvoted you, but the comment you responded to mentioned how SMS based 2FA would be better than what they do today (i.e. nothing).

This is a fact. SMS 2FA, regardless of how bad it is, is still another hurdle an attacker would have to overcome. An additional hurdle, no matter how small, is still better than nothing at all. Therefore the assertion that SMS 2FA would be better than what they do today is simply an irrefutable fact.

If you left off the "Oh god please no." portion of your comment, you may not have been downvoted.

tedunangst · on Oct 17, 2019

SMS 2FA includes the negative energy of "we have this, so we don't need TOTP or something better." It may well be a net negative.

The corollary to don't let the perfect be the enemy of the good is don't let the barely better be the enemy of the substantially better.

Thorrez · on Oct 18, 2019

Generally companies treat the SMS 2FA as an additional check, so it's a security improvement. But some companies also then allow it to be used for password recovery, which is generally a security regression. Also multiple companies have used SMS 2FA numbers for ad targeting.

https://news.ycombinator.com/item?id=21197553

tomjen3 · on Oct 17, 2019

Not really. It means I now have to prove prove to the site that I got my sim hacked and has to go to a ton of trouble getting my phone number back.

Seriously auth over sms should not only be froned upon, but illegal. It is a nice cover you ass for the site that does it, but if you do 2f any way that is not using a uf2 physical token you should not be allowed near a computer.