0

Although I disagree with the term MFA entirely if it refers to 'login code send to email', it's a one-time password at best, and likely badly implemented with its associated risks. I do see quite some software having email as their only 'MFA solution', sometimes also offering SMS as an alternative, or no options to disable one or another. Let's ignore the fact that we should ditch such software in the first place.

Using SMS for MFA is also known to be insecure.

If choosing between two evil options, email and SMS, for the use of MFA, receiving a one-time-password (OTP), which is considered 'most secure' and why?

Bob Ortiz
  • 6,665
  • 11
  • 50
  • 96
  • The security of the email options depends on the security of the sender (i.e. DNS spoofing possible, TLS enforced) and the security of the recipient (how likely gets the account compromised, how open is the mail provider to attacks). This means the security might differ as lot between different senders, mail providers and recipients so no reliable rating can be done in order to compare it with SMS. – Steffen Ullrich Nov 07 '23 at 15:58
  • I understand that any threat model can be specifically tailored but I'm searching for a probably hard, generic comparison which would include a lot of assumptions. 'A general rule of thumb'. Such as, as of 2023 the average user most likely does not use MFA on their email account, has an phone with a regular operator, most likely not up to date phone software, not in an extremely hostile nor friendly surrounding. Moderate to weak password. Is not highly digitally skilled, nor a total digital illiterate, et cetera. – Bob Ortiz Nov 07 '23 at 18:56
  • This is a second proof... (1: they know their password, 2: they have access to phone or email) not sure why you think it's so evil. Maybe you are talking about "forgot password" methods here? That ends up being a single proof. (that you have access to the e-mail or phone.) In that case I'd go with e-mail, as a sim-swap would allow an attacker to reset the password. (though a sim-swap might also allow access to e-mail, so...) – browsermator Nov 07 '23 at 20:20

0 Answers0