two factor authentication via SMS is the biggest waste of time. It's not true tw...

cpblockphishing · on Sept 3, 2014

Aside from expensive, and questionable reliability, there is are a few other major issues SMS just doesn't address:

1) Blocking phishing: where are you typing that code into? the real site? Are you sure......zeus-in-the-mobile coming at you

2) and once you are into the actual site and you want to do something of value, man-in-the-browser becomes an issue

>>>> this sums it up http://blogs.computerworld.com/data-security/24250/financial...

oh yes, and the 34 banks that have been spear-phished and SMS compromised know about it too.......

jacquesm · on Sept 2, 2014

> It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone.

That's rubbish. 2FA means 'something you know and something that you have'.

What you know is your account credentials, what you have is your phone.

kbar13 · on Sept 2, 2014

I don't think you understood my comment. SMS is not something "you have". You have your phone, the SMS is sent (presumably from namecheap, or from a third party service) through the network and arrives at your phone.

This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.

If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.

Therefore, SMS "two factor" is not only costly and annoying, but ineffective.

Can I get my upvote back?

corobo · on Sept 2, 2014

> This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.

and they don't have your account credentials, that's the other half of the two factor approach