There's been heightened awareness lately of the risk of mobile phone numbers being hacked (ported, SIM cloned) which then has been used to get into email accounts (even 2FA'd ones) that have "phone number" as recovery option. See Kraken's great blog post and Coinbase's post tooFrom this there's 2 critical lessons:1) You 100% have to set 2FA for emails and other important accounts, and it absolutely should not be SMS/text message based.2) Don't set phone number as recovery option or even as an account setting for email/important accounts(you should also take steps with your mobile phone provider to limit their vulnerability of being socially engineered...but dont place too much faith in that!)This limits the damage of your phone number getting rekt.However, email providers like Google (their "Prompt" app description here)/Outlook also offer a third option for 2FA through "mobile app".So, NO apparent TOTP code generated to be entered (as on GAUTH and receiving SMS), but just an app that brings up a notification for you to Tap (looks like this in Google settings -- NOTE that this is not the same option as SMS/text nor TOTP secret for GAUTH/others!!):Approve a notification. With this kind of app, you no longer need to enter security codes. Instead, you'll receive a notification on your device when you need to verify your identity. Open the notification, approve it, and you're done.Is thisA) Worse than GAUTH / TOTP?B) Any better than SMS / Text Message 2FA?The issue is, if someone hijacks your phone number, can they somehow leverage that to access the "App 2FA" specific to each service like the Google Prompt or Microsoft Sign-in 2-factor options? via /r/Bitcoin http://bit.ly/2hCzpGa
No comments :
Post a Comment