SMS Two Factor Authentication


#1

Please introduce SMS-based two factor authentication for accounts. Other options are available, but traditional route would be opted by most.
Think about it. Thank you.


#2

Not really.

Although this thinking works:


#3

What happens if your phone is stolen, or lost. And the person then hacks into one’s google account. With SMS, one is connected to the phone number.


#4

You should really use a password manager like 1Password or LastPass to keep those things, because the phone would become the single point of failure.

SMS can be spoofed and intercepted.


#5

SMS-based attacks are mostly targeting political opponents, or very high profile individuals. Common folks not so much.
If it were that insecure, why would all other companies (Google included) offer it.
Anyways, CloudFlare should at least put the request on the thinking table.


#6

Probably the same thing as I put before in the link. Better than nothing.


#7

If a person is high value target, the attack is generally to illegitimately port their number.

I believe FIDO2 is on the roadmap:
https://fidoalliance.org/fido2/


#8

And in case the phone gets compromised, and google account taken over; it will come back to SMS authentication again. So, it’s a loop back into the same game.

As for the password managers, majority of the people aren’t that tech savvy.

But, this topic will quickly become banter HQ, so I’ll bail out. I believe CF must have thought about it already and thrown the idea into the dustbin.