Forum Discussion

USER's avatar
USER
Newbie Caller
Hace 4 años

Feature Request: Configure 2FA Options Available

I would like to request a feature given that Google Authenticator is available as an option for two-factor authentication. Right now, when I log in, I'm given three options for 2FA:

  1. SMS
  2. Google Authenticator
  3. Email

As it stands right now, enabling Google Authenticator provides no additional security if SMS can be selected as an option. Given the potential risks of SIM swapping, SMS as a form of 2FA is useless. Users should have the ability to turn off SMS as a form of 2FA, especially if Google Authenticator is enabled.

  • whist's avatar
    whist
    Roaming Rookie

    Completely agree, especially considering the data leak.  Enabling an authenticator app without the ability to disable SMS/email authentication doesn't add much/any value.

  • USER's avatar
    USER
    Newbie Caller

    I will say this for users who are concerned about the data leak, with regards to TMO data, there are some things you can do:

    • Rotate your current password
    • Rotate your account security PIN (know that it can be up to 15 characters)
    • Get a new SIM card (getting a new SIM card comes with a new IMSI number)

    Most of that can be done fairly quickly and will quickly make some of the data that was stolen stale.

  • BlueHeron's avatar
    BlueHeron
    Roaming Rookie

    Still, going forward, there needs to be a way to disable SMS verification codes.  On every other account I have which offers an authenticator app like DUO or Google for log in security, I can remove the SMS 2fafeature which is a huge security liability. 

  • whist's avatar
    whist
    Roaming Rookie

    Thanks for the advice.  I had reset my password and PIN, but didn't think about getting a new SIM card.

  • newishuser's avatar
    newishuser
    Transmission Trainee

    I suspect being able to disable SMS verification codes would be a false sense of security.  Given that people are able to do the SMS hijack, it doesn't seem a huge leap for them to socially engineer the "need" for it to be turned back on ("I lost the phone that had GAuth on" for example)