Two-Factor Signin
#16
Join Date: Apr 2019
Location: DEN
Programs: DL DM
Posts: 583
I agree that SMS sucks as a 2nd factor (along with the voice call + press # that one of my clients requires). But wouldn't it be better than nothing?
Without SMS: Someone figures out username/password, they're in.
With SMS 2FA: Someone figures out username/password; they still need access to SMS device to finish logging in.
Without SMS: Someone figures out username/password, they're in.
With SMS 2FA: Someone figures out username/password; they still need access to SMS device to finish logging in.
#18
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
#19
Join Date: Apr 2019
Location: DEN
Programs: DL DM
Posts: 583
It protects you from others guessing your security questions. Since most answers are fairly easy to acquire with the power of social media, using hashes like the example will greatly reduce the ability for someone to guess the answers.
#20
Join Date: Feb 2019
Posts: 3,097
#21
Join Date: Feb 2019
Posts: 3,097
right, which is why 2FA is probably not necessary here in the first place. using strong unique passwords is way more than enough, especially considering the potential loss for customers (near zero).
#22
Join Date: Feb 2019
Posts: 3,097
#23
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
#24
Join Date: Feb 2019
Posts: 3,097
#26
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
Fair points. My counter would be that even TSA (and I am certainly not a fan) finds someone with a gun every now and then.
But, what you say does make sense.
But, what you say does make sense.
#27
Join Date: Feb 2017
Programs: DL DM, UA Gold, Alaska MVP, Bonvoy (lol) Ambassador
Posts: 2,994
SMS 2FA is a HUGE step up from username+password security.
Is SMS perfectly secure? No. BUT 99% of SMS hijacks today require breaking another attack surface (the carrier) to do a SIM-swap or port-out. Pretty much the only other alternative is to either hack the user's physical phone device (not easy for a typical phone user without physical access given that they are walled gardens - although phishing can work here at times) or have already pwned an app server for one of those garbage apps that asks for permissions to read SMS messages.
There are other more esoteric solutions (think Stingray) but those are even more out of reach for a typical hacker.
The point is that SMS 2FA is 100x better than passwords alone. It is another significant step for a hacker to do - the typical SkyMiles account hacker is likely just buying credentials. If they don't work, they move on to the next one. It's the right level of security with a high degree of user convenience for a relatively low security need - while there is a risk to travel disruption and/or loss of SkyMiles, this is nothing like losing access to a bank account where $500K can be wired out into a black hole.
That said, I hate SMS 2FA if there is no alternative given the amount of time I spend in the air. I do think this is why Delta has not implemented it themselves - given that they are in the travel business, a disproportionate number of their users will be in the air or overseas where text messages may not work.
#28
Join Date: Aug 2007
Programs: DL DM
Posts: 1,079
I don't know about that. I think it would be interesting to get a poll going at this site as how often you've see a gun found at the TSA during your travels. I know we go through security faster than your typical person but given the frequency of travel, I would think I should have seen an alarm going off at least one time. From my end, I have not seen a single event ever. The only time I was in an alarm setting where they asked everybody to stop where they were ... I figured that would be my event to notice ... but, it was only a drill.
#29
FlyerTalk Evangelist
Join Date: Nov 2014
Location: MSP
Programs: DL PM, UA Gold, WN, Global Entry; +others wherever miles/points are found
Posts: 14,419
That said, I hate SMS 2FA if there is no alternative given the amount of time I spend in the air. I do think this is why Delta has not implemented it themselves - given that they are in the travel business, a disproportionate number of their users will be in the air or overseas where text messages may not work.
#30
FlyerTalk Evangelist
Join Date: Oct 2011
Location: ATL
Programs: DL Scattered Smothered Covered Medallion, Some hotel & car stuff, Kroger Plus Card
Posts: 10,745
I don't know about that. I think it would be interesting to get a poll going at this site as how often you've see a gun found at the TSA during your travels. I know we go through security faster than your typical person but given the frequency of travel, I would think I should have seen an alarm going off at least one time. From my end, I have not seen a single event ever. The only time I was in an alarm setting where they asked everybody to stop where they were ... I figured that would be my event to notice ... but, it was only a drill.
My point is not that TSA is good or consistent at finding guns or anything else, just that they do find them from time to time.
For the sake of argument, say that the ~4,000 guns found by TSA in 2018 only represents 1% of the total guns people attempted to bring through security. That would unquestionably be an overwhelming failure by TSA, and would mean that 396k other guns did make it past the checkpoint. But the fact remains that 4k guns were still blocked.
Remove TSA entirely and replace it with nothing else (which would be the corollary of not using SMS 2FA and also not using anything else), and you now have 400k guns inside airport terminals. By any measure I can think of, 400k > 396k.
In this example, the username/password combination could be compared to physical keys to the curbside door of the airport, and the malicious actor has already purchased/stolen a copy of these keys from somewhere.
(This is meant to be a ridiculously oversimplified comparison. We're all aware that there are multitudes of other issues with TSA and that some of their practices may hurt rather than help. But at an exceptionally basic level, I'd still contend that having a poorly-run security checkpoint provides a more of a barrier than no checkpoint at all.)