Comment by morgan814
1 day ago
Not all too long ago I had someone port out my VOIP number. They had it for a few hours. This was after I had spent extensive effort attempting to secure my digital life. VOIP was SIM-swap resistant sure, but I totally missed that port out requests default to failing open.
Thankfully the VOIP operator alerted me and pulled the number back. Then I set a port out code.
Who knows how many other holes I have. I lost my sense of smugness that day.
Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
> I still have my sense of smugness
Crappy SMS 2FA or not. Losing your number is a huge pain. Because phone numbers are treated as identity, it also allows the person who took your number to impersonate you by calling into $X service. At least in America.
I wish banks would get this memo. Not only is one of my banks enforcing a maximum password length of 6 NUMBERS (no letters/special characters allowed), but also that high-value transfers are only confirmed via SMS 2FA, even though their own banking app also have a separate 2FA thing that doesn't go through SMS, but it's only used for "low-value" actions...
This. My Turkish bank (Garanti BBVA) only works with SMS codes for new logins & payment confirmations, and the app password is 6 digits only, which it also wants (forces) you to change it every now and then because apparently that's a good security measure.
Name and shame
Tangerine (formally ING Direct) in Canada only has 6-digit PINs and SMS 2FA
TD Canada Trust only supports SMS 2FA
PC Financial only supports SMS 2FA
TOTP is not SOTA 2FA. WebAuthn is SOTA 2FA. TOTP can be phished. WebAuthn cannot.