General > General Technical Chat

2FA two step verification & the obsession with security

<< < (12/15) > >>

PlainName:
One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?

metebalci:

--- Quote from: dunkemhigh on February 15, 2022, 12:42:38 pm ---One thing highlighted by its absence in this TOTP discussion is that to use it the end user needs to be running either a special product-specific app or generaic authenticator. Not so hot if they are PC users, and the support for user errors is likely to be greater than zero. OTOH, SMS just works and you don't need an iPhone or Android or anything special - a simple decade-old dumb phone will work. Further, the end user isn't in a race to read and type before the pretty short timeout (sods law says they will start with 15 seconds to go).

Won't anyone think of the chiuser?

--- End quote ---

Very correct, that is another reason why SMS OTP is offered either as alternative or as a fallback method even if there are other mechanisms.

About the timeout, SMS OTP also have or must have a timeout. You might have heard there was an Android issue, a trojan was forwarding the SMS OTPs in the background. A timeout eliminates offline man in the middle attacks. The issue is if standard SMS gateways are used to send SMS the time it takes for SMS to reach to the end user cannot be guaranteed I think or it cannot be guaranteed to a low value. That is why some operators offer low latency gateways particularly for this purpose so 60 seconds timeout can still work.

mac.6:
SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

metebalci:

--- Quote from: mac.6 on February 15, 2022, 01:47:21 pm ---SMS OTP is not secure *at all*
SIM theft/hijacking is a thing that is awfully simple and happens everyday:
https://arstechnica.com/information-technology/2022/02/police-in-spain-dismantle-a-sim-swapping-ring-that-drained-bank-accounts/

--- End quote ---

Wow I didnt know it is still an issue. I remember after this happened (in Turkey, 10+ years ago) they changed the processes and there was a lock period, so you can easily figure out something is going on with your number before bad things happen. On the other hand, if identity theft is involved, this is a much bigger problem.

madires:

--- Quote from: ve7xen on February 14, 2022, 09:46:57 pm ---For real-world identity-tied things like taxes and bank accounts, I am a strong proponent of government-issued key material. We've had the technology for decades, but AFAIK only one country (Estonia) has ever issued such an identity document which is just absurd to me.

--- End quote ---

The German ID card offers an eID function for several years now. Before 2017 is was an option, after that it's activated by default.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod