Uman.6150 Posted April 6, 2021 Share Posted April 6, 2021 Hi there,As a software engineer with interests in security, I am quite baffled with your current focus to showcase 2FA (Factor Authentication) SMS as the preferred solution.I see the following issue:I have a 2FA with TOTP (authy/google authentificator) enabled on my account.I regularly get advertised to update my 2FA to a SMS based one, to get a "free mini" in exchange.There has been a lot of press in the last few years that described the risk of targeted attack with SMS 2FA (this article from twillio explains it well).So in terms of security, I'd say:no 2FA < SMS 2FA < TOTP 2FA < USB security key 2FA (the last one isn't implemented in GW2)One would argue that promoting a less secure method of 2FA (and one that costs you money for each SMS sent) isn't great, which is why I'd suggest the following:Don't suggest TOTP users to switch to a SMS based 2FA.Give the same miniature for those with TOTP enabled.CheersNote: My understanding is that you feel SMS 2FA is safe enough, considering that what is at stake can probably be resolved through support, and doesn't bring any financial or privacy hit.SMS is also probably easier to setup for your customers vs having them use a 2FA app on their phone.For those who do get the most secure choice (and are fine with it), being encouraged to downgrade still feels off. Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now