Open in app

Sign in

Write

Sign in

Dora, stop playing around, and get SMS… for now at least..

Ackermann Yuriy
2 min readMar 27, 2017

Opinions expressed are solely my own and do not express the views or opinions of my employer.

Recently I’ve seen far too many posts aboutabandoning SMS”. I have only one thing to say: STOP IT

Yes. I am serious. Your constant non-constructive moaning, is not just annoying, but most importantly it’s dangerous.

Yes, SMS is bad. I know it. I had read NIST Draft on “Digital Authentication Guideline”. I have read about SS7 attack. I know you can build a rogue spoofing base station for under a thousand dollars. And the fact that you can do easy social engineering and reissue some ones sim card. SMS 2FA is fucking terrible, but…

Let’s imagine for a second that Facebook abandons SMS. Nine hundred million accounts without any second factor. That is as good idea as removing handrails. SMS is used in a lot of areas. Social networks, banks, payment, government, healthcare, you name it. If we abandon SMS 2FA right now, everywhere, it will be a disaster not solution.

The forced abandon of one technology, without equal or better replacement, make general state of things worse.

I would like to remind that even with all SMS issues, any attack will still be targeted, and that makes all the difference in the world, because that means that attacker will have to get to you personally. Do you think Boris, will fly to US, to get eight-hundred dollar rogue base station, to steal your Facebook’s 2FA codes? If yes, then you are in way more deep shit to be worry about security of SMS 2FA solutions.

SMS is here. We are using it. It’s bad. But at this stage it’s de-facto of the second factor authentication solution, and it does the job. Better having some security, than no security.

If you do want to be helpful, then talk to your company. Promote U2F(Google, Dropbox, Dashlane and now Facebook supports it). Promote hardware tokens. Promote better authentication solutions. Do everything that is possible, to ensure that we are building new, SMS free, secure authentication ecosystem.

But for now, if you have no other choice, use SMS 2FA, and for the love of god STOP advising people to not to use SMS, if there are no alternatives.

Love and kisses. Yuriy

Security
Tech
Sms
2fa
Authentication
Unlisted

--

--

Ackermann Yuriy

Written by Ackermann Yuriy

511 Followers

FIDO, Identity, Standards

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams