Comment by sneak
1 day ago
Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
1 day ago
Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
> I still have my sense of smugness
Crappy SMS 2FA or not. Losing your number is a huge pain. Because phone numbers are treated as identity, it also allows the person who took your number to impersonate you by calling into $X service. At least in America.
I wish banks would get this memo. Not only is one of my banks enforcing a maximum password length of 6 NUMBERS (no letters/special characters allowed), but also that high-value transfers are only confirmed via SMS 2FA, even though their own banking app also have a separate 2FA thing that doesn't go through SMS, but it's only used for "low-value" actions...
This. My Turkish bank (Garanti BBVA) only works with SMS codes for new logins & payment confirmations, and the app password is 6 digits only, which it also wants (forces) you to change it every now and then because apparently that's a good security measure.
Name and shame
Tangerine (formally ING Direct) in Canada only has 6-digit PINs and SMS 2FA
TD Canada Trust only supports SMS 2FA
PC Financial only supports SMS 2FA
TOTP is not SOTA 2FA. WebAuthn is SOTA 2FA. TOTP can be phished. WebAuthn cannot.