SMS as 2FA yet?
Question: Is it active yet or dissapeared?. In case someone lose the smartphone and is not using pendrives or other devices with 2FA.
Thanks. |
It disappeared as part of FastMail's rollout of the new 2FA system last summer, and I'd guess that it's probably not coming back.... A post here by brong from the FastMail team suggests that it's pretty much known to be "awful for security" as well as reliability/deliverability.
|
Trust in SMS is a quick path to having your identity stolen 🕵
|
Thank you both for your answers. Yes, I know itīs not safe, but itīs safer than nothing. So, if you are without a smartphone (or donīt want to use a smartphone anymore) and canīt use another device, then itīs better sms as 2FA than no 2FA. But I see that itīs not in FM anymore.
|
There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.
Have a google around and see what you're comfortable with using. |
Quote:
I would say the reason f/m don't want to use sms is the cost and reliability of phone companies. |
Quote:
|
Quote:
|
Quote:
The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F. To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system. You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences. |
Quote:
The reality is that you're not going to get the vast majority of average users (probably 90% of the bank/Government user base) to fiddle with TOTP apps or buy U2F keys, so you're left with having to lower your security standards to the very lowest solution that pretty much every one of your clients has access to, and of course that's SMS, since almost everyone has a mobile phone these days. Again, better than not having a second factor at all, and a big part of any security model is buy-in and usability from the user base. Security that nobody is going to use is no better than no security at all. |
Thank you very much!, doubt resolved :)
Quote:
|
All times are GMT +9. The time now is 06:01 AM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy