Perhaps, but you still cannot use this to authenticate to Twilio itself. Twilio requires either using unsafe SMS or some version of EEE[1] in their console.
The argument then goes back to, why pick up an external dependency and cost for open standard authenticator when you could just include a library and generate it yourself.
This allows a developer to have all the benefit of the Authy API, including enhancing the experience using push authentication or dropping back to SMS if needed, as well as allowing users to use an authenticator app of their choice. It's the best of all worlds in this case.
But if building and maintaining app based TOTP using a library is good enough for you, then go for it. I'm certainly not going to make you use Twilio's APIs, but plenty of businesses do see the benefit.
The nice thing about using autocomplete with username and current-password is that it can help your password manager auto fill these fields across pages if they are implemented like this.
Further to this, it is also why I suggested the pattern workaround for older browsers.
You shouldn't find yourself in too much trouble in a browser if you add an attribute to an element that it doesn't understand though, it will just ignore it.
I’m actually paid to say that too ;) . In fact, SIM swapping isn’t the only weakness of SMS, take a look into the SS7 network and how that allows for a rogue operator to redirect SMS messages too.
At Twilio, we have APIs for two factor authentication and we recommend implementing via push notification to the Authy app with “approve” and “deny” buttons. This is more secure and a better experience than SMS. The API also allows for regular app based 2FA, with a TOTP code, which is more secure than SMS. But it also allows you to fallback to SMS, which is still more secure than no 2FA.
You do have to consider the threat model for your own application when considering these sort of security measures. If the value of an account takeover is high then a targeted attack can, and will, break SMS 2FA. Which is why the Twilio 2FA API allows you to turn off SMS 2FA if you choose.
Ultimately I’d prefer SMS over nothing when it comes to 2FA, but I also encourage developers to use more secure options that can also have a better experience.
I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.
If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.
SMS 2FA isn't more secure than just a password. It actually opens up holes.
When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.
Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.
I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.
The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.
* Applications that take a phone number for one reason (2FA or otherwise) and also use it as a single factor for account reset are less secure in the case of number recyling.
* Applications that do 2FA via SMS do not necessarily do account resets via SMS
* 2FA over SMS is more secure than just having a password to secure an account.
I am sorry your girlfriend had this problem. I would have hoped a business like Facebook would better understand phone number usage. Their penchant for taking as much data as they can and using it however they like clearly burned some of their users here. I hope they have tightened up this hole and that this didn't affect too many people.
Ok, makes sense. Thank you for the kind response and I approve of most of it. I think we will have to agree to disagree on the last * though. I think that statement is very much 'it depends.'
I apologize for going in circles one more time... but by not providing 2FA SMS, it is impossible to f'ck it up or be abused. Right?
I shy away from any rules that say you can’t mess something up simply by avoiding one thing, especially in this sort of case. Consider also that avoiding 2FA by SMS may avoid sim swap or recycle attacks, but it could also eliminate 2FA for users who don’t have a device capable of running an authenticator application (a feature phone).
There’s a lot more at play here, and “just don’t” isn’t a nuanced enough answer to 2FA by SMS.
But as I said towards the end of the previous comment, if you deem the threat to your users great enough that targeted SMS attacks are a problem, you can turn off that fallback.
That's an interesting question, depends on the support you're expecting.
In this case the desktopCapture API was introduced in Chrome 34 but arrow functions only turned up in version 45 onwards.
You can set a minimum Chrome version in the extension manifest though, which would mean you can set a version that guarantees the JS support that you want.
- how many sales you need per day - how many sales you need per month - monthly traffic