Consider: Marking SMS only 2FA as insufficient

[vidia]

It would be nice to see sites that only have SMS based two factor marked as "good, but insufficient" and potentially having the same tewwt and email links that other entries have to request a TOTP based code be added.

There has been a lot of talk lately about how insecure a SMS based two factor auth system can be. It would be nice to see that communicated here to raise that awareness. While SMS is better than nothing it is not an entirely secure option.

I'd like to see those fields marked with, possibly, yellow to denote that they are good, but not good enough.

[stephenreay]

This is a good point, it'd also be good to highlight the services (e.g. Twitter) where you can't turn off SMS 2FA even if you have a TOTP client setup.

[Carlgo11]

Yellow is already being used on sites marked as working on implementing 2FA.
My suggestion is either:

• Make the colour amber (might be bad for people with colour-blindness?)
• Completely remove the SMS row (Might be weird as it's still better than Email 2FA which IS still listed)
• Remove the In progress marking which would leave yellow available for use.

Thoughts?

[conorgil]

I recently wrote an article about why SMS 2FA is insecure and came here to open an issue related to somehow communicating to users which 2FA methods are better than others. Putting a warning near SMS 2FA somehow makes a lot of sense to me too.

Is the "In Progress" indicator still used? I don't have all of the history of the project, but it seems like it has changed a lot in the last 6 months or so.

We could always rely on black and white icons to avoid the color problem. For example, something like this.

[imthenachoman]

I too think this would be a great addition. If folks support it I don't mind looking through the web render code to see how to implement. If it is easy enough I wouldn't mind giving it a go.

[deviant]

Frankly, it would be good to remove the SMS/phone columns entirely. The only legitimate options in this day and age are TOTP and hardware keys, IMO. E-mail isn't really acceptable either, as encryption is best-effort and is thus trivial to MITM. Additionally, if a service lets you initiate a password reset via e-mail that disables 2FA without requiring said 2FA, it's only as secure as e-mail is.

[indolering]

What if we colored those with only sms/phone and hard/soft token that can be bypassed with SMS as yellow and offered a modified call-to-action?

[imthenachoman]

I was thinking about this more. This site's goal is to list if websites support 2FA or not. Should this site start discussing pros/cons with the various ways? I mean, each of the different ways has different risks associated with it.

Getting into the pros/cons debate is a big undertaking and may detract from the objective of this website. Educating customers on which way is better is a big undertaking with a lot of questions and arguments.

I'm not saying this website shouldn't -- I'm just saying if it does then it'll have to be prepared for a lot of debate and associated work (i.e. training/education/etc.)