I think an important question that Tavis either explicitly or accidentally omitted is “for whom”. I am not sure why he did not include this as it’s a critical component to his argument. If Tavis is stating that “SMS 2FA is ineffective for an enterprise”, then I would agree. The threat model that he is operating from is that an organization is being explicitly targeted by a motivated (though not necessarily extremely capable) attacker, who only needs minimal access to cause great harm. However, if Tavis is instead simply stating “SMS 2FA is ineffective” with no caveats, I would disagree.
When considering SMS 2FA, one needs to look at their threat model and personal risk. To argue this point, I will attempt to address his points from the perspective of a technologically immature individual looking to secure their bank account. In this context, one’s threat model changes from “I need to protect all the accounts” to “I simply need to make sure my account is more secure than someone else’s”. From this perspective, SMS 2FA provides significantly more protection from credential stuffing than a username/password combination. In addition, the argument of “an attacker can simply move to a different service” no longer holds as not all accounts for this user are of equal importance. Access to their neopets account is significantly less valuable than their bank account.
Another one of Tavis' arguments is “Instead, why not simply randomly generate a good password for them, and instruct them to write it down or save it in their web browser? If they lose it, they can use your existing password reset procedure.” I think this argument ignores the reality of today’s world in that, if a commercial service forced that kind of policy, it would not be adopted by users. Anyone who has worked with a technologically immature user can attest to how common it is for users to forget or lose their password. While, again, I can see such a service working for an enterprise product, I do not see such an authentication scheme being acceptable for a B2C product.
I’d also like to discuss his point of “We have a finite pool of good will with which we can advocate for the implementation of new security technologies. If we spend all that good will on irritating attackers, then by the time we’re ready to actually implement a solution, developers are not going to be interested.” As far as I can tell, Tavis is arguing that if one invests their time in implementing 2FA, then developers will not be interested in allowing or enforcing more secure options. Coming from the perspective of someone who has worked with numerous developers during my time with consulting, I do not feel that this is true. Security is top of mind for numerous companies. Account compromise not only has a cost to a user, but also has a cost the service provider. This can be in terms of refunds, time spent restoring access, or other direct resource cost. Additionally, I think Tavis is oversimplifying the argument. His statement of “all that good will” implies that implementing SMS 2FA will “use up” security’s ability to influence the security features a product will implement. He exhibits a false dichotomy logical fallacy where he represents the decision as either all or nothing.
Security is ultimately a risk calculation. SMS 2FA doesn’t prevent malware and it doesn’t prevent phishing. However, risk is about using your resources to make the impact or likelihood of a failure event. SMS 2FA does just that by efficiently reducing the likelihood of credential stuffing attacks. Do I wish that all sites supported U2F for 2FA and do I encourage everyone to use a password manager to generate random passwords? Yes. Will I continue to recommend that enterprises not support SMS 2FA for SSO and other solutions? Yes. However, I recognize the reality that we live in that password-based authentication is a bandaid for the larger identity problem for the world wide web and B2C services. And I will continue to tell my friends and family that SMS 2FA is better than nothing. If you have counterarguments, please feel free to reach out via email or twitter, and I’d be happy to respond in an addendum to this post. Have a great weekend and remember to be respectful in your discourse.