> So if your workplace is letting you authenticate with SMS codes
There's an old saying in photography, "the best camera is the one you have with you".
IMHO its very much the same thing with 2FA.
Any 2FA is better than no 2FA.
Sure some 2FA options are more secure than others, but by the same token, there's also a scary number of websites out there that have zero 2FA options. Others make it inordinately difficult to find (e.g. I'm looking at you Slack ... finding where to turn on 2FA in Slack is a nightmare).
Ironically there's no 2FA option for HN either. ;-)
> That's like saying MD5 is fine for hashing passwords, because it's better than plaintext.
No, I'm saying we need to come down to planet earth and recognise we live in the real world. Hence SMS or TOTP is preferable to nothing at all.
Its a bit like the hardcore open-source types who can't see the wood from the trees and cannot fathom why anyone would possibly want to use anything else other than Linux and fully open-source alternatives to Microsoft Office or Photoshop. Sometimes you have to compromise.
How is that false? Name a single example where SMS 2FA is worse than none. And just because it will always come up: 2FA, not treating the second factor as only factor.
> Name a single example where SMS 2FA is worse than none.
SMS is terrible because it is so easy to lose account access.
Phone broken/stolen? Completely locked out.
Or, I have this one financial institution that insists on sending SMS 2FA to the phone number on file, which is a 20+ year old landline which obviously can't receive SMS. Completely locked out. Someday I'll have to find out some way to get my money out of there (they have no local branches).
I will always use TOTP if at all possible, because it's not a single point of failure. I store the seed values securely and they are backed up, so can't be lost.
That is actually a good point. Hadn’t thought of that.
I hate TOTP, can handle SMS 2FA (sim-swapping is super rare here) and love FIDO/U2F/Webauthn (or whatever it’s called today). I have one with NFC on my keychain, and a backup device in the drawer. No off-site backup key, but encrypted backup codes.
SMS 2FA is significantly, uncategorically, undeniably worse than no 2FA at all.
If your SIM card is hijacked, most websites/companies will quite happily let the impostor click a "Forgot password" link and get a SMS code to verify their identity, which will allow them into the account to take/change whatever other details they want at that time.
That's a poor password reset process, not SMS 2FA. You can do SMS 2FA without having that terrible reset process, you can have a terrible SMS reset process without SMS 2FA. They're two different concepts.
> most websites/companies will quite happily let the impostor click a "Forgot password" link and get a SMS code to verify their identity
That's not 2FA. There is one single factor there, the SMS code.
SMS 2FA does not require you to have a 1FA backdoor, so you can't claim the latter is an inherent fault of the former.
For example, pairing "enter the SMS code" with "click the link we sent to your backup e-mail address" gets you a two-factor password recovery process.
That isn't the best or only method of 2FA password resets, it just comes to mind first because it's the last one I used and it is sufficient to prevent access via SIM hijacking alone.
I do feel though that SMS porting is such a lax system that using it as an authentication factor leads you into a lot of (SMS && social-engineering) situations that would be more preventable if SMS was not involved.
I say this fully realising that in this scenario the party allowing allowing these attacks to work due to poor understanding or lack of proper checks is the real problem.
There's an old saying in photography, "the best camera is the one you have with you".
IMHO its very much the same thing with 2FA.
Any 2FA is better than no 2FA.
Sure some 2FA options are more secure than others, but by the same token, there's also a scary number of websites out there that have zero 2FA options. Others make it inordinately difficult to find (e.g. I'm looking at you Slack ... finding where to turn on 2FA in Slack is a nightmare).
Ironically there's no 2FA option for HN either. ;-)