On Sat, Apr 17, 2021 at 6:00 PM Eric Kuhnke <[email protected]> wrote: > Anecdotal: With the prior consent of the DID holders, I have successfully > ported peoples' numbers using nothing more than a JPG scan of a signature > that looks like an illegible 150 dpi black and white blob, pasted in an image > editor on top of a generic looking 'phone bill'.
Hi Eric, SMS for 2FA is fine. It's understood that a single authentication factor is not secure enough; that's why you use two. SMS for 1FA is hugely risky and should not be used for anything important, like money. SMS for a password reset is an example of 1FA -- your ability to receive SMS messages at the required phone number becomes the sole authentication factor needed to access the account. If the adversary has captured your password -and- reprogrammed your phone number, what makes you think they lack the wherewithal to have captured the shared secret used to generate your TOTP code? Regards, Bill Herrin -- William Herrin [email protected] https://bill.herrin.us/
