this post was submitted on 01 Mar 2024
381 points (99.2% liked)
Technology
59534 readers
3183 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
it's sms 2fa, it was never secure. We've had reports of sms 2fa being bypassed for over a decade, but those were mostly sim swap attacks.
Unless your code is being generated locally, it's not secure. Email has the same problem because that can be hijacked to intercept the code. A hardware dongle or TOTP app are the only real secure options for 2fa IMHO.
Yep SMS two factor authentication usage was officially suggested to no longer utilize by NIST in 2016, and in practice before that, to your point.
This shit is old, people! It's trivial to compromise. Start transitioning where you can to passkeys and start using an app based MFA, like Duo or Authy, both free.
My bank literally said no. I asked about using a yubikee or something like Google authenticator and they literally said, enable a pass phrase. That's what they told me.
My stupid work app requires us to change our password every 6 months, no special characters so it's harder to use PW generators, and they don't even support 2FA. Nice that an app that stores my 401k and W-2 documents uses such amateur data security policy.