• cooopsspace@infosec.pub
    link
    fedilink
    English
    arrow-up
    168
    ·
    edit-2
    8 months ago

    SMS: Here is your 30s “MFA” code, I’ll send it to you 40 minutes after you need it.

    SMS isn’t 2FA. Its 1.5FA.

    • KairuByte@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      92
      arrow-down
      1
      ·
      8 months ago

      SMS isn’t even secure. Mitm, social engineering, straight up theft, and more are all ways around it. It should never have been implemented, but especially not when totp exists.

      • Opisek@lemmy.world
        link
        fedilink
        English
        arrow-up
        52
        ·
        8 months ago

        What I despise most in when SMS is not just optional but forced upon me as “backup” to TOTP. “Lost your authenticator app? Send an SMS instead.” How about no?

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          10
          ·
          8 months ago

          I don’t believe I’ve run into that, but yeah it completely misses the point of totp. Hell, I’d prefer a lockout over SMS backup in most cases, my totp authentication has multiple encrypted backups.

        • lorkano@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          8 months ago

          Especially because you can just backup authenticator to the pendrive in encrypted form. I don’t care I loose my phone, that’s exactly the reason authenticator is better.

    • JasonDJ@lemmy.zip
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      1
      ·
      edit-2
      8 months ago

      Dude.

      My wife’s phone started acting up the other day. It would keep losing cell service and even when it showed a signal, it still would only work on wifi.

      That happened a few hours after I ported my phone number (on the same family plan) to another carrier. So naturally, I thought the issue was with the carrier.

      Since I planned on porting her number out to my new carrier anyway, I didn’t want to troubleshoot.

      Well, get to the new carrier and it’s still not working. Go through the whole process of resetting network settings, and then eventually deleting the esim.

      New carrier, though, needs you to receive a text message before they send the esim.

      Naturally, with the esim deleted, it couldn’t receive text messages.

      Her issue did end up being her phone. Even after the port went through in full, it was still hit-or-miss with cell service. Worked on wifi though.

    • datelmd5sum@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      2
      ·
      8 months ago

      I’ve heard people in the US still use SMS to communicate with eachother. Fucking crazy.

      • Crashumbc@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        1
        ·
        edit-2
        8 months ago

        Inertia and ease of use are powerful.

        SMS “just works” and works for everyone here.

        While I would like the new fancy features. At least RCS is bringing some and is seamlessly integrated.

        Bonus I have 10+ years of txt history and can scroll/search to find something. And since my phone is Google (I know evil) I can access it all from the desktop seamlessly in one window.

        • Rodeo
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          I don’t see any features rcs brings that makes it worth having all my communications routed through and stored on the private servers of a for-profit corporation.

      • Swedneck@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        8
        ·
        8 months ago

        uhhh that’s not some unique american thing lol, that’s how people here in sweden communicate too

        Barely anyone cares what specific protocol is being used, they just care about what app they have to use and who they can reach, and if anyone isn’t using a normal sms app they’re generally using facebook messenger or imessages both of which support sms fallback and thus their users don’t even know there’s a difference half the time.

        • datelmd5sum@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          8 months ago

          Can you for example send a video, encrypted and to your computer via SMS? I don’t know how much tech they’ve built over the protocol over in the US, but in many parts of the world SMS was charged per message in your phone bill and things like photos or video cost more to send. People abandoned SMS quickly when 3rd party IP messaging apps like whatsapp came out.

          • Ricky Rigatoni@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            8 months ago

            i think most people have unlimited texting and data in america, the greatest country.

            • datelmd5sum@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              8 months ago

              Yeah data got unlimited here before texts, which caused people to move on to other things. Now texts are usually unlimited, but that train has already sailed.

      • jnk@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        Blame apple for that. IPhone has this proprietary messaging app pre-installed which is probably super convinient for the ecosystem but uses some obsolete SMS protocol to communicate with android phones. I think recently this has gotten better, but only because beeper and the EU pressing on them

    • MeanEYE@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      17
      ·
      8 months ago

      SMS is good enough. Sure it’s not as authenticator or some other MFA method, but it’s good enough. Chances of my random account hiding something worth subverting cell operator to get the SMS and my password, are slim to none. At that point don’t upload anything worth that much.

      • cooopsspace@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        It’s overwhelmingly whatever provider they use for SMS, or some sort of anti spam checking.

        My phone has reception the whole time.