1

I would like to move away from SMS 2FA (because of Should 2FA over SMS be considered insecure in the wake of recent SS7 attacks? for example).

But some services that provide Authenticator apps actually provide fallbacks mechanisms that go to SMS. For example, LastPass Authenticator gives:

enter image description here

So really, in such a scenario, app 2FA brings no added security to SMS 2FA.

It just brings ease of use I guess, but I'm frustrated to see that. I would prefer to disable 2FA SMS altogether (and rather have backup codes in case of device unavailability). Edit: Just checked, it's possible to do in gmail.

Is there something I miss there, or is it really that sad?

Qortex
  • 321
  • 2
  • 9
  • Can you disable SMS 2FA? I've had this some time as well, but so far I've always been able to disable it. – mhr Jun 17 '19 at 18:42
  • 1
    nope, can't see an option on lastpass for example. Indeed, Gmail also does the same, but you can remove your phone number if you want to prevent that. – Qortex Jun 17 '19 at 18:49
  • 1
    What's your actual question? Can you please edit and clarify? – PwdRsch Jun 17 '19 at 21:05

1 Answers1

1

You need in Appenter link description here 2FA, see the attached image as an example in gmail. Above most operators are installing SS7/Signalling firewall to ensure that subscribers are secure from SMS interception and redirection attacks.

Coding_A_Nation
  • 86
  • 8
  • If you click "Skip" in your image, you might get an option to validate through SMS, depending on your config. Also, SS7 is not the only way to intercept. SMS sometimes show text even though the screen is locked, which can be an attack vector I would like to avoid in principle. – Qortex Jun 17 '19 at 19:17
  • Yes Mic, You can also intercept SMS via Diameter protocol or if you have malicious application installed in your phone that reads, the sent it to the hacker. Once the SMS has been sent to the hacker, the malicious application can delete SMS before you even get to read it or see it. – Coding_A_Nation Jun 20 '19 at 05:59