Firefox 70 released [LWN.net]

Firefox 70 released

Posted Oct 28, 2019 18:51 UTC (Mon) by raven667 (guest, #5198)
In reply to: Firefox 70 released by apoelstra
Parent article: Firefox 70 released

> Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users.

Is security something that only conscientious users should enjoy, or something that should be baked into the defaults. I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

> SMS based 2FA has been a massive detriment to my security

Compared to passwords alone without any second factor? SMS 2FA is worse than just bare passwords, is that your claim?Needing to do SIM cloning to intercept SMS is a significantly higher bar than just compromising the Cat Fancy blog comment system and trying all the creds on Bank of America website or similar. Its not that its impossible to beat, we both know it isn't, but whether it's better than the status quo. Password managers and random shared secrets are better than using shared common passwords across many sites, SMS 2FA is better, Phone 2FA is better still and an external token is best.

to post comments

Firefox 70 released

Posted Oct 28, 2019 21:11 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

I think the issue is that companies add SMS 2FA and say they're done. Supporting the more secure variants is still necessary for those who want to be more secure. But too often I've seen response along the lines of "but we have it already" and having to explain why it's not sufficient for me is exhausting. I should probably push hard on my financial institutions (e.g., Fidelity finally has SMS which I did enable, but while other methods are possible across their setup, they're not available for my account type).

Firefox 70 released

Posted Oct 28, 2019 22:31 UTC (Mon) by pizza (subscriber, #46) [Link]

Plus, even putting aside the security flaws inherent to SMS, reliable SMS delivery is not a given -- for example, during international travel. Or should your phone suffer a catastrophic failure. Or both simultaneously.

Firefox 70 released

Posted Oct 29, 2019 20:56 UTC (Tue) by apoelstra (subscriber, #75205) [Link]

> Is security something that only conscientious users should enjoy, or something that should be baked into the defaults.

Of course security should not be limited to conscientious users, but SMS 2FA strictly increases the conscientiousness you need to be secure. With 1FA you need to use strong unique passwords; with SMS 2FA you also need to use non-public throwaway phone numbers. I know several people personally who have had their numbers ported, which led to multiple simultaneous account compromises (even when using unique passwords), not to mention being extremely inconvenient.

> I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

It doesn't seem to put any strain on the phone system's security. Phone companies are happy to let attackers port arbitrary numbers with basically no resistance and then absolve themselves of all responsibility. As far as I know no legal system in the world holds them accountable for this.