So now instead of social engineering the government intern all they have to do is social engineer the phone company. It’s called sim swapping. 2FA is bullshit and doesn’t work in practice.
I only say 2FA because every instance of being offered the choice to use 2FA in my experience was phone based. It’s by far the most common 2FA scheme — its very widely asserted that phone based 2FA is secure and it enrages me because it really isn’t.
But something like u2f as far as I can tell isn’t any better than memorizing a strong pass-phrase. It’s basically just moving the password manager to a computer that’s not connected to the internet. I guess it’s easier than memorizing.
It adds one more layer of security and makes stuff like this much more difficult. Now the attacker has to both, figure out his password and hack his phone. How is this bullshit?
Because the way it’s implemented in 99% of cases is password reset uses your phone for validation. But that’s not true 2FA.
It’s a widespread lack of courage which I think afflicts many areas of the western world right now. Instead of making things right, everyone just says well if you lose your password then it’s ok, just do x y and z and you can reset your password. Never mind the fact that this completely ruins the whole point of passwords and 2FA. People aren’t brave enough to just confront the plain fact that in order to have security, you have to let your customers deal with the bitter consequences of losing their passwords. Instead of rightly putting the burden of managing passwords on the consumer, we treat them like children at the expense of sanity and order.
Just strong passwords and backup passwords is way stronger than 2FA anyway
