paypal used to openly support token 2fa, but have since made it nearly
impossible to use hardware tokens. they try very hard to ram sms down
everyones throats.
-Dan
On Sun, 18 Apr 2021, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos
had years to secure SMS. They did nothing. The plethora of well-secured
commercial 2FA authentication tokens, many of them free, should be a mandatory
replacement for 2FA in every security governance regime, such as PCI, financial
account access, government web portals, etc.
-mel via cell
On Apr 17, 2021, at 6:27 PM, Tim Jackson <jackson....@gmail.com> wrote:
???
Every SMS 2FA should check the current carrier against the carrier when
enrolled and unenroll SMS for 2FA when a number is ported out. BofA and a few
others do this.
--
Tim
On Sat, Apr 17, 2021, 8:02 PM Eric Kuhnke
<eric.kuh...@gmail.com<mailto:eric.kuh...@gmail.com>> wrote:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
Anecdotal: With the prior consent of the DID holders, I have successfully
ported peoples' numbers using nothing more than a JPG scan of a signature that
looks like an illegible 150 dpi black and white blob, pasted in an image editor
on top of a generic looking 'phone bill'.