⚠️ How SMS 2FA Destroys Authentication Logic

A recent experience while changing my account info reminded me why relying on telecom routing for security is an absolute nightmare, and why the infosec community needs to kill off SMS authentication for good.

🚩 Battle.net SMS 2FA Failure and Security Theater:

I attempted to log into Battle.net using a phone number I had legitimately owned for months, assuming I had added to my alt profile when I switched to that number. Instead of asking for a secondary 2FA, the platform sent an SMS code, accepted it, and provided me access to a complete stranger's account.

🚩 The Architectural Flaw:

The platform's backend treated a single SMS verification token not as a supplementary second factor, but as a primary identity credential. Because a stranger had left my number on their account months prior, the system assumed current possession of the SIM trumped all other security metrics.

🏳 The Legal Reality of Intent:

From a legal standpoint (like the CFAA), navigating into an account this way lacks the malicious intent required for criminal unauthorized access (Mens Rea); it's an accidental entry caused entirely by broken corporate infrastructure. But the fact that a user can simply input their own phone number and inadvertently hijack a stranger's digital life without a single exploit is a staggering failure of AppSec logic.

✅ The Solution:

SMS is not identity proof. It is a highly volatile, easily routed carrier token. If a platform allows SMS to override or bypass a standard password barrier without out-of-band verification (like a mandatory email confirmation), it isn't secure.

Stop letting telcos act as your root of trust. Switch to cryptographic hardware standards like NFC Yubikeys or standard TOTP apps.

#CyberSecurity #Infosec #MFA #SecurityTheater #AppSec #Yubikey #CFAA #Hacking

 Technical infosec question regarding #FIDO devices like #yubikey

If someone has a Yubikey, is it at all possible to determine what accounts are tied to that key - besides trying to use that key in different accounts? (Sort of like finding a physical key on the ground, and only being able to find out what it’s for by going around town using it on different locks.)

(I think this is also a moot point because it’s -multi factor- so even a username and key combination should NOT be enough to access an account.)

ADDED: I think the answer is generally “no” unless it’s set up as a PASSKEY instead of a second FACTOR. In that mode it requires a PIN as well.

https://old.reddit.com/r/yubikey/comments/1o8nrox/lost_yubikey_is_there_a_way_to_see_what_accounts/

Security folks, how do you deal with organizing and tracking all of your MFA tokens?

I used to just use keychains, but now that everything is Yubikey Nanos, I’m looking into bead organizers.

Is this a common problem, or am I just Yubikeys Georg?

#mfa #yubikey

RE: https://social.nitrokey.com/@nitrokey/116709826562625717

Nitrokey est le premier fabricant mondial de matériel de sécurité open source.
Face à la domination des solutions américaines (YubiKey, etc.), Nitrokey se positionne comme un acteur européen 100% open source, autofinancé et indépendant. Leur mission ? Rendre le numérique souverain en proposant des clés USB, smartphones et PC sécurisés, sans dépendre des géants tech.

#Cybersécurité #OpenSource #SouverainetéNumérique #Nitrokey #YubiKey #Privacy #TechEurope

Possible to unlock 1password with Yubikey? #firefox #2604 #firefoxextensions #yubikey

https://askubuntu.com/q/1567521/612

Konnte jetzt bei #Paypal den einen #Yubikey als Hardwaresicherheitsschlüssel hinzufügen, den anderen aber nur als OTP Gerät. Paypal scheint keine zwei Yubikeys zuzulassen. Ich kann also auch keinen weiteren Schlüssel hinzufügen. Und Passkey geht nur über den Device Dienst, bei Android gab es einige zur Auswahl (die Yubico App nicht), weil man auf Systemebene mehrere haben kann. Bei Apple nur "Password", was wohl der Nachfolger der Keychain ist.

Schon seltsam sowas.