> Yeah, and it requires me to use a U2F token, which I can loose, etc.
In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
> and SMS as a second factor seems like a perfectly reasonable balance.
My point is that it isn't. Unfortunately, today, identity is a true privilege - it pretty much requires purchasing multiple U2F tokens, and that's super shitty. That doesn't mean that SMS 2FA is a good idea - the fact that it can actually reduce your security is very problematic.
But that is my entire point. SMS as a second factor is purely additive. It cannot reduce security.
There is pretty much no form of second factor that users are worse at passing than backup codes. Even if people print them out (few do), they won't find them when the emergency happens. You need some form of trust that can be bootstrapped again from scratch.
For most of the world, SMS is it. The Nordic countries have the bank if system. But the market is too small. Hopefully the EU-wide identity verification systems solve the scale problem.
> Some form of trust that can be bootstrapped again from scratch.
This is not using it as a second factor. It is using it as the only factor.
Having SMS as the only factor is not purely additive. As such it can (and obviously does) reduce security.
Account recovery is hard, SMS is quite usable there, but way to insecure to be the only basis for bootstrapping account recovery.
I don't really understand why you think I'm advocating for SMS as the only factor, when I very clearly wrote the exact opposite.
Let's say that you remember your password, but your house just burned down. You cannot replace the U2F keys and backup codes that were lost in flames. But you almost certainly can bootstrap your real life identity far enough to get a replacement SIM.
Which, in combination with your password, should be enough to get your digital identity back.
Except in practice, most providers (even those that should know better, like Google) allow use of SMS, ostensibly set up as a “second factor,” to be used for account recovery without knowing the password. Making it, in practice, 1FA.
Confusion about the word bootstrapping. I read "bootstrapping trust" as regaining trust based solely on SMS.
But indeed, sms as a second factor is much easier to recover in catastrophic situations than some other second factors. That is a fair point, and an advantage of sms over other common second factors.
> SMS as a second factor is purely additive. It cannot reduce security.
You are forgetting social engineering. Humans find it reassuring that the security process happened as usual, even if in fact the apparently "usual" process was them being being phished. This can mean they're actually less alert than they would be otherwise.
You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course, and then it tells you that you'll get an SMS and to type in the code so you do so. Phew! Disaster averted! Right? This must have been real, you even got an SMS from the bank.
Alas the SMS was from your bank, and the bad guys didn't have a way to intercept it, but they didn't need one because you typed it into their phishing website. That unexpected $500 transaction wasn't real, but their emptying of your bank account will be.
"You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course. It was a phishing website. Your bank account will be emptied."
But in your revised story I don't receive reassurance that everything is going as planned. That's what I'm getting at, the SMS step is reassuring even though it actually shouldn't be.
If there is no 2FA, not being asked for a confirmation code is things going as normal. Also, it's totally irrelevant whether the user gets cold feet since in the password-only world they've just handed away the keys to the kingdom.
> But that is my entire point. SMS as a second factor is purely additive. It cannot reduce security.
It most certainly can reduce security, that's the point. If I don't have a phone number on my account (which I almost universally don't) then no amount of SMS hijacking will ever matter.
If some provider forces me to put a phone number in, now I may be vulnerable to a weakness I didn't want to be vulnerable to. Maaybe today that particular provider uses SMS in a stricly additive sense. Maybe. Just as likely next month they'll redesign their site to be "easier" and add back the vulnerability.
Same with recovery questions. They make the security stricly worse for most people since they are password-equivalents with far lower entropy. Although personally my best friend from high school was named D3ho9WvylJkws1zfAKUxZjdYuCsS.
They specifically said "SMS as a second factor." What you're discussing here is a completely different different use of SMS that nobody is arguing in favor of.
As I mentioned, there is no guarantee any site is going to never allow use of that phone, once it's on file, to bypass authentication. Even if they don't right now. So adding a phone to an account increases your risk in a way you can't control. The only guaranteed way to avoid it is to never have a phone# on file.
> SMS as a second factor is purely additive. It cannot reduce security.
I responded to this in another post.
> There is pretty much no form of second factor that users are worse at passing than backup codes.
Agreed, I also mentioned backup U2F. At this point modern smart phones package TPMs that can also do attestation, so we're really not too far away from being in a situation where the vast majority of people have a U2F token in their pocket.
> In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
Which have either higher costs or "administrative burden" or both which will lead them to failure for a big chunk of non tech-savvy people. Educating a casual user that they need to print out recovery codes and store them in a safe place it's not exactly top notch usability.
Yes, as I've said, availability is the problem to solve. We should be shipping U2F tokens wherever we can. I'd like to see schools that require students to use GSuite and other U2F supporting sites giving students tokens for free. I'd like to see banks giving their customers tokens. I'd like to see companies giving them to employees.
IMO the problem is not "let's get some kind of 2FA" it's "let's get U2F in the hands of as many people as we can".
> The only way it can ever actively reduce your security is if it's used as a single factor, as it was for the OP.
I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else. Every piece of information the attacker can get is valuable for forging auth.
What SMS is good at is being available. At this point cell phones are distributed to a massive portion of the world. But at this point smartphones can also act as U2F devices, I believe, so I'm not sure that benefit is so meaningful anymore.
Instead of companies wasting time on SMS 2FA they should be figuring out how to help their customers set up U2F.
I'd like to avoid being in a situation in 10 years where we have great options for end users available but 2FA SMS is still supported for legacy reasons, and unwitting users end up using it because it seems easier and they don't understand the risks.
> I don't believe this is true. If I have your SMS I am considerably more likely to be able to phish a recovery, even if recovery also involves something else.
So it's better to not consider that information at all?
What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
The problem you're describing is that services accept SMS in leu of other forms of verification, such as an actual password. Personally, I would very much like it if I could turn off any and all forms of "I forgot my password" flows. There should at minimum be a one-week waiting period or similar.
> So it's better to not consider that information at all?
Exactly
> What is better? (1) Requiring a password to login or (2) Requiring a password and a code sent via SMS?
They're equivalent in my mind - SMS is such a weak 2FA mechanism, and it's so easy to get wrong and have it decrease your overall security, any benefit is lost. Rather than pushing SMS because it's what we have we should make greater efforts to leverage technology that we know is considerably better in every regard except availability today - IMO that is the problem to solve.
In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.
> and SMS as a second factor seems like a perfectly reasonable balance.
My point is that it isn't. Unfortunately, today, identity is a true privilege - it pretty much requires purchasing multiple U2F tokens, and that's super shitty. That doesn't mean that SMS 2FA is a good idea - the fact that it can actually reduce your security is very problematic.