genew@telus.net
Date: Mon, 09 Apr 2018 10:45:47 -0700
http://www.computerworld.com/article/3268134/mobile-wireless/a-bad-day-with-mobile-2fa.html
Evan Schuman, Computerworld, 9 Apr 2018
Texting confirmation numbers is a very weak link;
texting them to my landline is just dumb.
The Zen of Mobile
selected text:
One of my favorites -- a small and little-known site -- asked for my login and password. I complied, and it then escalated to 2FA. It didn't give me any options about the second factor (which is mobile 2FA problem number one) and insisted on texting me a confirmation number.
I waited but nothing arrived. So I asked it to do it again and again.
Nothing. That's when I realized that the site was likely trying to text my
landline. And that is mobile 2FA problem number two: If you're asking for my
phone number so that you can text me sometime down the road, tell me that,
and I'll give you my cellphone number. Otherwise, you'll get the number I
most often answer, my landline, and it will do you no good when it's really
needed.
And this is where problem number one bumps up against problem number two: If texting doesn't work, users need another option, at the very least a support number to call.
But wait, there's more. I next tried to post to Google Plus. Thoughts of my recent 2FA problem flitted through my head, but I thought to myself, fear not, Google uses an excellent 2FA that doesn't rely on texting confirmation numbers. It knows that process is far too susceptible to man-in-the-middle attacks. No, for Google, I have a trusty USB fob. And when I tried logging in, it insisted on the fob. But it was just not my 2FA day; when the fob was inserted, nothing happened.
And that's when I learned that I was giving Google too much credit for being security-conscious. When Google couldn't see the fob, it just defaulted to a texted confirmation number. (It turned out that a laptop reboot made the invisible USB device visible again.)
Companies need to have a human-managed backup to security so that legitimate users aren't locked out with no way back in. If you can't justify a call center, then at least have an email address pop up -- and make sure that inbox is watched aggressively.
2FA is a great idea, but companies need to think through these issues better. For starters, if you want a mobile phone number, just say so.