There's a phrase I really like, which is "usable security". That is, how do we secure things in a way that both actually secures things, but isn't so onerous that it makes it impossible for people to use. U2F is getting there, but a lot of folks -- especially folks who are new to good security hygiene -- are having a hard time with adoption.
I don't disagree with most of what you've said, but my view is a bit different. The place I have seen people get into is when account recovery happens by way of authenticating with SMS, or no account recovery is possible at all once the 2nd factor is compromised. In both cases, the user is totally hosed.
And, yeah, totally agree about the bank note!
Anyway, that's my justification for not a flat out recommendation for using 2FA via SMS if no other option is available. Depending on the type of account, having it compromised for a limited amount of time (via the password being compromised and then recovered) may actually be preferable to losing access permanently. Social engineering is really not difficult to do, especially if the account holder personally is a target.
Thanks again for weighing in! There are a lot of factors (ha) to consider. I try to get everyone to use U2F, but am not always successful :-)
U2F is great because it's a relatively cheap hardware dongle. I'd like people to be using the U2F devices that are also PKCS#11 devices, but the ones that also handle NFC for mobile use tend to get prohibitively expensive.
What I'd love to see is banks and similar hand these out to customers uninhibited, so that their customers get better security everywhere - but most importantly at their bank.
That's a great write-up, thanks!
There's a phrase I really like, which is "usable security". That is, how do we secure things in a way that both actually secures things, but isn't so onerous that it makes it impossible for people to use. U2F is getting there, but a lot of folks -- especially folks who are new to good security hygiene -- are having a hard time with adoption.
I don't disagree with most of what you've said, but my view is a bit different. The place I have seen people get into is when account recovery happens by way of authenticating with SMS, or no account recovery is possible at all once the 2nd factor is compromised. In both cases, the user is totally hosed.
And, yeah, totally agree about the bank note!
Anyway, that's my justification for not a flat out recommendation for using 2FA via SMS if no other option is available. Depending on the type of account, having it compromised for a limited amount of time (via the password being compromised and then recovered) may actually be preferable to losing access permanently. Social engineering is really not difficult to do, especially if the account holder personally is a target.
Thanks again for weighing in! There are a lot of factors (ha) to consider. I try to get everyone to use U2F, but am not always successful :-)
U2F is great because it's a relatively cheap hardware dongle. I'd like people to be using the U2F devices that are also PKCS#11 devices, but the ones that also handle NFC for mobile use tend to get prohibitively expensive.
What I'd love to see is banks and similar hand these out to customers uninhibited, so that their customers get better security everywhere - but most importantly at their bank.
That would be amazing. After all, it's in their best interests not to have accounts compromised, as well.