nanog mailing list archives

Re: Malicious SS7 activity and why SMS should never by used for 2FA

From: John Adams <jna () retina net>
Date: Mon, 19 Apr 2021 09:58:42 -0700

The goal of U2F is one key fob that works on many services. Implementation is pretty simple and the hardware is 
inexpensive.


Sent from my iPhone

On Apr 19, 2021, at 08:51, William Herrin <bill () herrin us> wrote:

On Mon, Apr 19, 2021 at 5:54 AM Mark Tinka <mark@tinka.africa> wrote:

It's all about convenience, and how much they can get
done without speaking to human.


Hi Mark,

Convenience is the most important factor in any security scheme. The
user nearly always has a choice, even if the choice is as
rough-grained as "switch to a different company." If your process is
too onerous (the user's notion of onerous) then it simply won't be
used. An effective security scheme is the strongest which can be built
within that boundary.

If a key fob can be sent to them - preferably for free - that would help.


Hint: carrying around a separate hardware fob for each important
Internet-based service is a non-starter. Users might do it for their
one or two most important services but yours isn't one of them.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: Malicious SS7 activity and why SMS should never by used for 2FA, (continued)
- - - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 18)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA William Herrin (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA John Adams (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA John Levine (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mike (Apr 20)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 20)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mark Tinka (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Mel Beckman (Apr 19)
    - Re: Malicious SS7 activity and why SMS should never by used for 2FA Tom Beecher (Apr 19)

(Thread continues...)