nanog mailing list archives

Re: Malicious SS7 activity and why SMS should never by used for 2FA

From: Randy Bush <randy () psg com>
Date: Mon, 19 Apr 2021 06:55:05 -0700

I'd add to that that people probably shouldn't treat phones as a
significant increase in security, it's not really the out-of-band
device that it used to be/was in the 1990s. Today, it basically
equates to a second computer and the probability that the second
computer is also compromised isn't overly unrealistic.


by the same attacker?  raises the bar a bit.  it's just a second factor,
not a guarantee.

i am a fan of the google token and don't like having to carry a
different hw token for everyone who wants to hw 2fa me.

but i think $ubject is correct.  sms 2fa is roadkill.

randy

---
randy () psg com
`gpg --locate-external-keys --auto-key-locate wkd randy () psg com`
signatures are back, thanks to dmarc header butchery

Current thread:

Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- - - Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Julien Goodwin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Eric Kuhnke (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Nathaniel Ferguson (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Randy Bush (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA bzs (Apr 20)
- Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
  - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)

(Thread continues...)