Yet another example of why SMS is terrible for 2fa and account recovery.
"the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable"
https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
#2fa
-
-
The Value of a Name (ello.co)
as of Saturday morning my number had been forwarded to a number I did not recognize. Unreal. So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.
-
I work as a sales rep in-store for a telco. From a security perspective, it's ridiculous... | Hacker News (news.ycombinator.com)
Anyone relying on two-factor auth with a phone number who uses my company is vulnerable. Simple as that. It would take a determined attacker a day to get control of your number.
-
@pebble I would really love to see the ability for notifications to include custom-defined actions for the three right buttons! For example, a notification arrives that says "would you like to approve this login?" and the top and bottom buttons say "Yes" and "No". Each button has a URL defined that will be requested when the respective button is pressed. This would make for a slick two-factor auth utility among other things, and could even be developed without writing any code that runs on the Pebble!
-
Thinking about two-factor auth at a nano level, requiring human confirmation before any client can actually post to your site via your micropub endpoint.
For example, I sign in to barnaby's experimental Taproot interface but don't trust it entirely yet. Instead of giving him blanket access to post to my site, every time his app makes a request to my micropub endpoint, it goes and asks me for confiramtion before publishing.
Either OOB confirmation (2-factor auth via SMS or something) or an OAuth-like confirmation dialog from the same browser window.
#indieauth #micropub #2fa