SMS Threat Intel #1696
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
Community wanted
We would like feedback from the community to guide our decision otherwise we will progress
Will be closed if no response/opposite arguments
_5.0 - Not blocker
This issue does not block 5.0 so if it gets addressed then great, if not then fine.
SMS is referenced within ASVS Requirement 2.2.2
@vanderaj considered the residual risk of SMS within #127 (comment)
However @ddz published the following tweet during Summercon 2023:
The tweet reproduced as text is "Where @dotmudge makes an important point at @SummerC0n: real data on ATOs shows that SMS 2FA is fine for the vast majority of users. It prevented 100% of 3.3B automated password stuffing attacks, 96% of 12M bulk phishing, and even 76% of <10k targeted attacks seen over last year."
As the purpose of #1495 is to verify the control based on the risk of the application then SMS is fit for purpose according to the available Threat Intelligence. Therefore, should SMS be reconsidered for at least L1?
The text was updated successfully, but these errors were encountered: