7 comments

[ 3.6 ms ] story [ 29.5 ms ] thread
This article doesn't really say how to design a two-factor authentication properly.
The author concludes an SMS code is two-step auth, not two-factor, because the code could be transmitted over Messenger. This allowed the author to authenticate without physical access to the device.

I fail to see how pushing a button makes a significant difference. Instead of sending a code, I'll just ask my friend over Messenger to push the button. Authenticated without any more physical access than with the code system.

1. Please stop calling two-factor-authentications 'two factor authentications'.

2. Here's no information at all about what to do instead.

3. Here's a list of things I complained about in paragraph 1 but are actually 2Fa products after all

The upshot of this is: various techniques commonly called a second factor are in fact subject to social engineering, thus* disqualifying them from the technical definition of a “factor”.

(* I’m fudging it a bit with the word “thus”.)

Now that I'm no longer so caught up in this pet project article of mine, I realize how BS it is. Deleted.
Microsoft/hotmail has 3 factor authentication where we have to verify phone number to rcv the sms code.
Technically code via SMS is 2FA, it is proving one has access to that cell/mobile phone account either directly or indirectly. I would say it is a terrible authentication system but it is a different factor to something you are (biometrics) or something you know (password/passphrase). However cell/mobile phone accounts are really easily to social engineering access to via the phone companies to send replacement SIM cards for that IMSI, not to mention the encryption to/from the phone has known major flaws (especially pre 3G GSM standards). Far better to use TOTP, HOTP or U2F which are actually designed for authentication purposes rather than have the phone company attempt to do it for you.