I think an important question that Tavis either explicitly or accidentally omitted is “for whom”. I am not sure why he did not include this as it’s a critical component to his argument. If Tavis is stating that “SMS 2FA is ineffective for an enterprise”, then I would agree. The threat model that he is operating from is that an organization is being explicitly targeted by a motivated (though not necessarily extremely capable) attacker, who only needs minimal access…

On a recent Purple Team engagement, I was accessing the client’s Splunk cloud instance. Being my normal typo-filled self, I fat fingered the URL and went to clieent.splunkcloud.com instead of the correct client.splunkcloud.com. Instead of being redirected to the login portal, I received a DNS resolution error, fixed the typo, and moved on. A little while later, I was thinking about the typo again and wondered how this information leakage could be utilized by an attacker. To backup a little, a…