Is 2FA via SMS on the way out?

wkleem
wkleem
Community Member

There is a 9to5 Mac article which suggests that Apple and others will prevent SMS 2 Factor Authentications.
9to5mac.com/2016/07/26/sms-too-insecure-for-2fa/

What does Agilebits think of this?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • It's a good thing since SMS itself is an insecure channel.

    Also, it's not that Apple will prevent them, they would be complying with the standard to not use SMS for this authentication method, which is the right thing to do.

  • wkleem
    wkleem
    Community Member

    Thanks @MikeT,

    There is a potential issue, which is that some people, especially old people, don't like smartphone and will only use SMS enabled feature phones. They are stubborn.

  • There are some folks that resist the Internet and technology altogether as well. ;)

    Ben

  • danco
    danco
    Volunteer Moderator

    And there are issues if one is travelling.

    I like in England and my non-smart cell phone is not used when I am in the USA

  • khad
    khad
    1Password Alumni

    Many people can't even get SMS messages when they travel internationally, since they either don't have a cellular plan that allows them to receive SMS messages internationally or they buy a SIM card in the country where they are traveling… and that has a completely different phone number.

  • Potentially relavent:

    https://youtu.be/LlcAHkjbARs

    Linus Media Group had an issue where the founder's cell provider was compromised (social engineering?) and they created an unauthorized party a SIM for Linus' account (so that the unauthorized party started getting all of his calls / texts, and he stopped getting them).

    Ben

  • wkleem
    wkleem
    Community Member

    Dear Agilebits Team,

    Thanks for the comments and thank you @Ben for the video. That was enlightening!

  • khad
    khad
    1Password Alumni

    On behalf of Ben and the rest of us here, you are quite welcome! :)

    It's always enlightening to chat about these sorts of things.

  • prime
    prime
    Community Member

    I have a great video too about this happening to another persons account, BUT it has some borderline language. I would message the video to somewhere to check it out, but yeah... I can't message people...

    Anyways, I added a 4-8 digit PIN to my cell account. No one can make any changes to my cell account unless they give the cell phone provider my PIN. I suggest everyone do this.

  • khad
    khad
    1Password Alumni
    edited July 2016

    @prime,

    Feel free to post the video with a clear disclaimer. That way folks can decide for themselves if they want to click to view it or not. We're all about choice here at AgileBits. :)

    And I'm interested to see it.

  • prime
    prime
    Community Member
    edited July 2016

    Ok, @khad here it is. Basically saying as the video above, and shows how they did it too. Warning, some profanity in this video.

    https://youtu.be/caVEiitI2vg

  • wkleem
    wkleem
    Community Member

    Hi

    Any thoughts on dual SIM phones? There are Microsoft and Android versions. I may pick one up, Lumia 640, while stocks last. The 650 updated version is impossible to find.

  • khad
    khad
    1Password Alumni
    edited August 2016

    I would love a dual SIM phone. Unfortunately, I rely too heavily on iOS and apps that are only available for iOS to use a non-Apple phone. I can dream of one day having a dual-SIM iPhone, but I'm probably just dreaming… :)

  • Agreed; dual SIM sounds awesome but I'm pretty well embedded in the Apple ecosystem. I've tried Android, and I have used Windows for years (still do), but iOS & Mac are my go-to and I don't see that changing in the near future.

    Ben

  • wkleem
    wkleem
    Community Member
    edited August 2016

    I am having this odd issue where the Apple 2FA refuses to appear on my designated iPad. I'm currently using Windows 7, not OS X El Capitan. Because I repeatedly hit resend new code, I've now exceeded the number of retries. I haven't used the recovery key, which will work.

    I've tried again after a short duration and the 2FA now works when it should have been immediate?

  • Sorry @wkleem, while I use Apple's 2FA I'm not intimately familiar with how it works. :( Perhaps a question that could be better answered by Apple themselves.

    Ben

  • wkleem
    wkleem
    Community Member
    edited August 2016

    The point of the matter is, Ben, is that 2FA isn't perfect and can have hiccups, like what I've experienced when the code isn't delivered timely.

  • I'd agree, when it comes to 2FA via SMS.

    Ben

  • wkleem
    wkleem
    Community Member

    To all who replied,

    Thanks for putting things is perspective, how true! :-)

  • Megan
    Megan
    1Password Alumni

    Hi @wkleem,

    Thanks for asking the question! It’s been an interesting thread to read. :)

  • wkleem
    wkleem
    Community Member
    edited August 2016

    @Megan,

    There have been other options, though probably more inconvenient, like a hardware based OTP device. I don't have any to try but it is supposedly more secure than plain old SMS. An inconvenience is that if each vendor requires one device each, then you will end up with one device for Citibank, one device for RSA, etc, etc. :(

  • Megan
    Megan
    1Password Alumni

    Hi @wkleem,

    Seems a bit of a shame that we can’t all agree on one way to implement TOTP so multiple solutions are not needed.

This discussion has been closed.