2FA through SMS is less secure than TOTP, but is the promoted one. — Guild Wars 2 Forums
Home Bugs: Game, Forum, Website

2FA through SMS is less secure than TOTP, but is the promoted one.

Hi there,

As a software engineer with interests in security, I am quite baffled with your current focus to showcase 2FA (Factor Authentication) SMS as the preferred solution.

I see the following issue:

  • I have a 2FA with TOTP (authy/google authentificator) enabled on my account.
  • I regularly get advertised to update my 2FA to a SMS based one, to get a "free mini" in exchange.

There has been a lot of press in the last few years that described the risk of targeted attack with SMS 2FA (this article from twillio explains it well).

So in terms of security, I'd say:
no 2FA < SMS 2FA < TOTP 2FA < USB security key 2FA (the last one isn't implemented in GW2)

One would argue that promoting a less secure method of 2FA (and one that costs you money for each SMS sent) isn't great, which is why I'd suggest the following:

  • Don't suggest TOTP users to switch to a SMS based 2FA.
  • Give the same miniature for those with TOTP enabled.

Cheers

Note: My understanding is that you feel SMS 2FA is safe enough, considering that what is at stake can probably be resolved through support, and doesn't bring any financial or privacy hit.
SMS is also probably easier to setup for your customers vs having them use a 2FA app on their phone.
For those who do get the most secure choice (and are fine with it), being encouraged to downgrade still feels off.

Comments