Replies: 4 comments
-
I think password reset and otherwise passwords situation is beyond the scope of this project. |
Beta Was this translation helpful? Give feedback.
-
I agree that password length/complexity is beyond the scope of this project, but the issue flagged here is integral to 2FA itself and should be included in some form. I think adding an additional column is probably not the right solve as it would complicate the current framework. Instead, this should be captured as an exception that can be read upon mouseovering the warning icon, and the language should be strongly worded. |
Beta Was this translation helpful? Give feedback.
-
I just happened to encounter this issue with Con Edison and it made me think of how the language might be worded. "Warning: 2FA can be bypassed through password reset by email or text." "or text" might not apply to the sites @Lucent flagged but it applies to ConEd. |
Beta Was this translation helpful? Give feedback.
-
I don't think it can be overstated how serious this is. The warning should read, "Your password can now be completely bypassed and deactivated by anyone who can intercept an SMS to your mobile account." Twitter recently fixed this to much fanfare: https://www.cnet.com/how-to/twitter-finally-makes-an-important-security-change-that-helps-everyone/ It would be nice if other services could be rewarded for making the right decision with a note or removed black mark here. Wordpress.com is an offender as well. |
Beta Was this translation helpful? Give feedback.
-
While SMS as a true second factor is an increase in security, if the 6-digit code in an SMS can often reset a password entirely, I would argue security is actually decreased as the password can be bypassed entirely and the 6-digit number serves as a single factor for authentication in place of the password.
The ability of hackers to hijack a SIM or intercept an SMS is becoming increasingly mainstream. Replacing a secure, multi-character password with a 6-digit number sent over the air to your phone number (not even your phone, but your phone number, an important difference) is arguably a significant decrease in security.
Many sites now request your phone number before enabling 2FA and silently install it as a reset method, so as you're enabling an app-based 2FA approach which would add security, the site is silently setting up a 1FA security method behind your back, allowing a text to bypass your password and 2FA entirely. Paradoxically, by enabling 2FA many places, you are actually switching to 1FA and making your account less secure than a password alone.
I'd like to see a column added for sites which do this and how to remove your phone number as a single-factor reset method. Offenders I'm aware of: Twitter, Wells Fargo, CreditKarma, Microsoft, Google.
Beta Was this translation helpful? Give feedback.
All reactions