Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Enlarge (credit rating: Misaochan)

A newly disclosed breach that stole password knowledge and non-public messages is educating Reddit officials a lesson that protection specialists have recognised for many years: two-factor authentication (2FA) that uses SMS or telephone phone calls is only marginally greater than no 2FA at all.

In a article posted Wednesday, Reddit explained an attacker breached a number of staff accounts in mid-June. The attacker then accessed a total copy of backup info spanning from the site’s start in 2005 to May possibly 2007. The info involved cryptographically salted and hashed password details from that period of time, alongside with corresponding consumer names, electronic mail addresses, and all person material, which includes private messages. The attacker also attained e mail digests that had been sent involving June 3 and June 17 of this yr. Individuals digests incorporated usernames and their affiliated email address, together with Reddit-proposed posts from protected-for-operate subreddits people were being subscribed to.

Wednesday’s write-up mentioned that the breached worker accounts have been protected by 2FA, which usually necessitates men and women to choose an excess action past entering a password when accessing an account from a new laptop or computer. In most instances, the excess stage is the coming into of a one particular-time password (OTP) that is despatched to or generated by a cellular phone. Much more secure nevertheless, the 2FA is in the kind of a cryptographic token despatched by a safety crucial hooked up to a machine logging in. The 2FA protecting the Reddit accounts, on the other hand, relied on OTPs sent through SMS messages, despite reports in excess of the decades (such as this 1) that make it amply distinct they are susceptible to interception.

Read 5 remaining paragraphs | Responses