Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Sounds secure enough to me, adds different type of security layer and I don’t think they would stoop down to sell your phone number.
-
@aviophile the security part is okay, definitely worth having, but I wouldn't put the phone number thing beyond them
-
atheist98053y2FA doesn't require a phone number, it's something you know and something you have, Google authenticator on your phone doesn't connect to the remote service or give them any information.
-
C0D4669443yIn level of effectiveness
1) SMS
2) Authenticator app (TOTP / Push notifications)
3) Hardware based (yubikey, smart cards)
An sms can be intercepted, or worse your phone number can be ported to a new sim depending on the telco and their lack of security measures, this is also the easiest to implement from a user perspective.
TOTP if done right, only allows a 30 second window for a code to work, now... if done incorrectly some implantations allow around 1-2 minutes before and after the current time, increasing the attack range.
Hardware, well someone has to find it to use it. -
C0D4669443y@EpicofGilgamesh by choice, I would use TOTP before sms. There's a shared secret key behind the scenes and a time based formula used to generate the 6-8 digit codes.
It's easy to implement but there's a level of trust of the app having it actually setting it up correctly.
Related Rants
Is 2 factor authentication really that secure, or is it just a ruse by sites to get to your phone???
question
conspiracy