The author concludes an SMS code is two-step auth, not two-factor, because the code could be transmitted over Messenger. This allowed the author to authenticate without physical access to the device.
I fail to see how pushing a button makes a significant difference. Instead of sending a code, I'll just ask my friend over Messenger to push the button. Authenticated without any more physical access than with the code system.
The upshot of this is: various techniques commonly called a second factor are in fact subject to social engineering, thus* disqualifying them from the technical definition of a “factor”.
Technically code via SMS is 2FA, it is proving one has access to that cell/mobile phone account either directly or indirectly. I would say it is a terrible authentication system but it is a different factor to something you are (biometrics) or something you know (password/passphrase). However cell/mobile phone accounts are really easily to social engineering access to via the phone companies to send replacement SIM cards for that IMSI, not to mention the encryption to/from the phone has known major flaws (especially pre 3G GSM standards). Far better to use TOTP, HOTP or U2F which are actually designed for authentication purposes rather than have the phone company attempt to do it for you.
7 comments
[ 3.6 ms ] story [ 29.5 ms ] threadI fail to see how pushing a button makes a significant difference. Instead of sending a code, I'll just ask my friend over Messenger to push the button. Authenticated without any more physical access than with the code system.
2. Here's no information at all about what to do instead.
3. Here's a list of things I complained about in paragraph 1 but are actually 2Fa products after all
(* I’m fudging it a bit with the word “thus”.)