2FA through SMS is less secure than TOTP, but is the promoted one.
Uman.6150
Member ✭
Hi there,
As a software engineer with interests in security, I am quite baffled with your current focus to showcase 2FA (Factor Authentication) SMS as the preferred solution.
I see the following issue:
- I have a 2FA with TOTP (authy/google authentificator) enabled on my account.
- I regularly get advertised to update my 2FA to a SMS based one, to get a "free mini" in exchange.
There has been a lot of press in the last few years that described the risk of targeted attack with SMS 2FA (this article from twillio explains it well).
So in terms of security, I'd say:
no 2FA < SMS 2FA < TOTP 2FA < USB security key 2FA (the last one isn't implemented in GW2)
One would argue that promoting a less secure method of 2FA (and one that costs you money for each SMS sent) isn't great, which is why I'd suggest the following:
- Don't suggest TOTP users to switch to a SMS based 2FA.
- Give the same miniature for those with TOTP enabled.
Cheers
Note: My understanding is that you feel SMS 2FA is safe enough, considering that what is at stake can probably be resolved through support, and doesn't bring any financial or privacy hit.
SMS is also probably easier to setup for your customers vs having them use a 2FA app on their phone.
For those who do get the most secure choice (and are fine with it), being encouraged to downgrade still feels off.
Comments
ArenaNet already suggests using an authenticator. And, offers a Mini-pet, as well.
https://help.guildwars2.com/hc/en-us/articles/230672927-Securing-Your-Account-With-Authentication
https://wiki.guildwars2.com/wiki/Edit_account#Security
https://forum-en.gw2archive.eu/forum/info/news/Beta-Feature-Mobile-Two-Factor-Authentication
and, of course, there's this (my preference):
https://help.guildwars2.com/hc/en-us/articles/201862858-E-mail-Authentication
They recommend SMS simply because it's the easier of the two to set up. The reason they push 2FA at all (email authentication was already enabled by default) is because back when it was first implemented, the various data breaches were happening and people were using the same logins everywhere, thus email authentication was easily bypassed. The other 2FA options in this case serve as a minor delay, as the attacker now has to phish support into giving them access (which will happen eventually).
For those who know what they're doing however, email authentication (with a properly secured email) is the strongest option they offer. You can get the mini by temporarily enabling the other 2FA options and you can disable the warning with a script or using Gw2Launcher.