≡ Menu

2fa broken?

In an article today from The Verge:


Two factor authentication is declared a mess. It seems that the mess is caused by the proliferation of different types of 2fa. SMS has been known to have weaknesses for quite some time. Recently a banking website I use has changed from showing my complete mobile number to just showing the last 2 digits. I am not sure why they show it at all. Perhaps in case I changed mobile numbers recently. Hopefully someone receiving just the SMS wouldn’t be able to figure out from that information alone where to input the code.

What’s the point of calling 2fa a mess? It’s better than 1fa. The article does say:

None of this means two-factor is pointless, but it isn’t the silver bullet that it seemed to be in 2012. Adding an authentication code hardens the login page, but smart attackers will just find another angle of approach, whether it’s a carrier account, a preregistered device, or just a customer service department that’s a little too eager to reset the password. Those weak points are the real measure of how secure an account is, but they’re impossible to spot from the outside. The result is that, if you’re looking for the chat app that’s hardest to hijack, it’s hard for even sophisticated users to know what to look for.

…but falls short of giving a next step. What should I do now?