Two factor authentication is still, in my opinion, the strongest way to go. This case is really the phone company's fault, maybe they'll learn from this and start teaching the customer support reps what the difference is between a correct password and an incorrect password.
Every time I have to call customer support to reset a bank password it makes me realize how bad of a security hole most phone support is. Security through two-factor authentication is only as strong as the process for bypassing it.
Sounds like a lot of effort, or at least a lot of things to consider. I wonder how many people were completely locked out of their accounts because they enabled 2-factor auth and didn't do all the right things.
The root problem in this story is that things are just too damn interconnected these days. And we're encourage to interconnect them even further (using cellphones to authenticate email, in this case).
Edit:
I think that my reply is not harsh enough. After reading the comments more closely, I see that this a typical IT response to IT failure. 1. Ignore the root cause. (Interconnectedness.) 2. Blame the user. (Implicitly, for not enabling two-factor auth.) 3. Suggest a workaround and dismiss any concerns real-life scenarios. (E.g. loosing your wallet and cellphone in an emergency. Emergencies like that happen more often that you'd think.) 4. Feel smug.
Rule #1 of security: There is no such thing as perfect security.
Of course there are still problems with two factor authentication, but it's better than the alternative.
If you lose your phone with two factor auth the provider should give you several temporary keys that you can use, or a way to contact their support line and confirm your identity.
This is not two factor authentication, this is merely trading one factor (your password) for another factor (your telephone). In proper two-factor authentication, you should be required to enter your real password into your phone and THEN get a one-time password back out (your telephone is a trusted device).
My teenage friends trade phones all the time and they constantly nab them out of pockets, backs, purses, etc. for a few seconds. This change makes it trivially easy to steal someone's credentials.
Two factor is magnitudes better than password only, but it's not foolproof.
Security is only as strong as the weakest link. CloudFlare was hacked recently because the attacker was able to redirect voicemail to another account, then use the two-factor backup recovery phone option to take control of Google Authenticator.
Two factor authentication is nothing more than a massive vulnerability. We've seen people somehow change our listed contact numbers through unknown exploits, then hijack ownership of properties using the new number to prove they are us. This wouldn't be possible if not for 2nd factor authorization schemes.
The difficult question regarding two factor authentication is "what do you do if you lose the second factor?"
The answer to that question can often range all the way from "your account is lost forever" to "you have to go through a whirlwind of bureaucratic pain" to "the alternative method of entry is easy, hassle free, and how your account will end up compromised."
If you don't let people use two factor auth, they bitch about your lack of security. If you let people use two factor auth, they bitch that you're collecting phone numbers. Can't win.
Even 2FA will have some mechanism for resetting the password without the second factor, because people lose their 2FA device (usually a phone) all the time. There has to be a way to recover from losing your 2FA device - given how easily the social engineering was shown to be here, I doubt that would help much.
Two factor authetication is dumb. It invites poor disipline with reusing passwords and with 500 pound gorilla corps, losing your second factor is losing your account permanently.
reply