Quote:
Originally Posted by Terry
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?
|
Well, it's not about it being "unsafe" so much as "not as safe" as other methods. I think the problem is that for a lot of public organizations like banks and Government agencies, SMS is the "least common denominator." It's not about
security in that sense so much as
convenience, and as others have pointed out, it's also better than not using a second factor at all.
The reality is that you're not going to get the vast majority of average users (probably 90% of the bank/Government user base) to fiddle with TOTP apps or buy U2F keys, so you're left with having to lower your security standards to the very lowest solution that pretty much every one of your clients has access to, and of course that's SMS, since almost everyone has a mobile phone these days.
Again, better than not having a second factor at all, and a big part of any security model is buy-in and usability from the user base. Security that nobody is going to use is no better than no security at all.