Follow

Developers, consider not sharing the name of your app in your SMS 2FA text messages. This may allow people / aggregators (govt. or other) in the middle to glean information about your users.

Instead, consider displaying a unique string in the app itself, then share that via the text message to pair in addition to the TOTP code.

This may help whistleblowers & everyday people to avoid divulging additional attack surfaces.

@theprivacyfoundation also, maybe not use SMS for 2FA at all? I know it's easy and convenient (for the provider) but it's also unreliable (cell coverage isn't always good) and will break when ppl are roaming, especially abroad. Besides being much less secure (many vectors of attack, from cloned SIMs to malicious cell towers).

@renatoram Using a non-Google based authenticator app is a good choice, but it does add complexity for the non-technical people. The risk of lock-out is higher too.

SMS 2FA is not perfect, but is more secure than not having a 2nd factor.

Some sites don't even give the option of SMS or authenticator apps. So our hope is to try and convince developers to refactor their messaging in the SMS itself.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!