Feature Request: Secured 2FA Phone Number for sites that only enable SMS 2FA
We all know that OTP is a far more secure 2FA than SMS 2FA. Especially considering the numerous available ways for hackers to convince cell phone carrier customer service agents to enable number ports or SIM swap. HOWEVER: there are an unfortunately high number of websites and services that only allow SMS 2FA (especially financial institutions...).
Frankly... I don't trust my carrier (as no one really should). And until OTP 2FA is more popular, any 2FA provides more security for your customers.
The feature I am proposing is a phone number enabled for 1Password accounts to receive SMS 2FA codes for sites that only support SMS 2FA. While this doesn't solve all the issues surrounding SMS 2FA, it can at least prevent these codes from being stolen by SIM swaps, number porting, etc (given that 1Password continues to uphold its integrity by engineering to prevent these things from happening).
Let me know what y'all think.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
The feature I am proposing is a phone number enabled for 1Password accounts to receive SMS 2FA codes for sites that only support SMS 2FA.
Just so I understand this correctly: are you suggesting that 1Password itself would give out phone numbers for this, meaning that we would offer that service in addition to password management? Or that you would have a way to connect your existing phone number to 1Password, and somehow mark it as trusted?
In general though, as you said, SMS 2FA is not secure, so the real solution would be for websites to simply stop using this method (it's not like there aren't any safer alternatives out there after all). I fear that if we tried to tackle this ourselves, we wouldn't really be doing anyone any favor, we would just help artificially extend the lifespan of something that should just not be used anymore :/
===
Daniel
1Password Security Team0 -
I am suggesting 1Password offering a secured phone number for this purpose. (I don’t even know if it is possible to do the second)
If you all don’t believe it’s worth it, I get it (it was a long-shot request). And indeed, it would be a bandage on a problem that really should be fixed by companies using 2FA that doesn’t involve SMS. Unfortunately, many companies don’t seem to get that we should not be using SMS 2FA (to non-tech companies, offering SMS 2FA is easier, because it’s easier to explain and implement SMS 2FA to tech illiterate people than it is to explain TOTP to these same people), and this doesn’t seem to be changing very quickly.
I am also not suggesting this be used for any service that offers TOTP. While there likely isn’t any way to prevent a customer from doing so, 1Password should stress to customers that use this feature that it is only a last resort safeguard for sites that ONLY offer SMS 2FA.
I also understand that this feature would likely be more costly than most, and I could see it being more justifiable by offering it as part of a more premium feature suite with other more costly cyber security features (such as randomized email addresses with forwarding, VPN, secured DNS, deep/dark web monitoring, ID theft monitoring, etc) like what Dashlane offers (and maybe more).
But, no matter what, I think this is something that should be considered. SMS 2FA will remain the only option for some sites for the foreseeable future. SMS 2FA authentication will always be threatened by the insecurity of processes at mobile carriers. NO ONE ELSE OFFERS THIS (great differentiator against the flood of password managers now available).
0 -
Will do. And thanks for building such a fantastic product!
0 -
:+1: :)
Ben
0