Scott Hanselman 🌮 · Aug 30, 2019 · 8:45 PM UTC

Scott Hanselman 🌮 @shanselman

30 Aug 2019

HOW did the CEO of Twitter's account get hacked? Don't y'all have people for that? An oh shit button? 2FA? Something?

551

Aaron Parecki · Aug 30, 2019 · 8:48 PM UTC

Aaron Parecki @aaronpk

30 Aug 2019

SIM hijacking is a thing, and why SMS should never be used for two factor authentication

Heather Downing · Aug 30, 2019 · 10:51 PM UTC

Heather Downing @quorralyne

30 Aug 2019

What factor would you prefer though?

Aaron Parecki · Aug 30, 2019 · 11:47 PM UTC

Aaron Parecki @aaronpk

30 Aug 2019

Something that can't be taken away from me without my knowledge. So, yubikey, TOTP, or even push notification, etc.

Stefán Jökull Sigurðarson · Aug 31, 2019 · 11:14 AM UTC

@stebets

31 Aug 2019

SMS 2FA is always better than no 2FA though.

Aaron Parecki · Aug 31, 2019 · 2:21 PM UTC

Aaron Parecki · Aug 31, 2019 · 2:21 PM UTC

Aaron Parecki @aaronpk

31 Aug 2019

If SMS is purely for 2FA then yes. but quite often adding SMS 2FA also lets you use SMS for account recovery, and that is worse than having no 2FA.

Aug 31, 2019 · 2:21 PM UTC

Stefán Jökull Sigurðarson · Aug 31, 2019 · 5:19 PM UTC

@stebets

31 Aug 2019

Agreed. For recovery it's bad.