Comment by sneak
2 days ago
Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
2 days ago
Using SMS 2FA has been explicitly deprecated for years. It’s insecure for this and a million other reasons.
TOTP is also trivially phishable.
I still have my sense of smugness because I use SOTA 2fa.
I wish banks would get this memo. Not only is one of my banks enforcing a maximum password length of 6 NUMBERS (no letters/special characters allowed), but also that high-value transfers are only confirmed via SMS 2FA, even though their own banking app also have a separate 2FA thing that doesn't go through SMS, but it's only used for "low-value" actions...
This. My Turkish bank (Garanti BBVA) only works with SMS codes for new logins & payment confirmations, and the app password is 6 digits only, which it also wants (forces) you to change it every now and then because apparently that's a good security measure.
Name and shame
Tangerine (formally ING Direct) in Canada only has 6-digit PINs and SMS 2FA
TD Canada Trust only supports SMS 2FA
PC Financial only supports SMS 2FA
> I still have my sense of smugness
Crappy SMS 2FA or not. Losing your number is a huge pain. Because phone numbers are treated as identity, it also allows the person who took your number to impersonate you by calling into $X service. At least in America.
TOTP is not SOTA 2FA. WebAuthn is SOTA 2FA. TOTP can be phished. WebAuthn cannot.