@Caute_cautim wrote:
SIM swapping attacks
Yes, we need to be disabling SMS/voice MFA, just as NIST advises, and not just for admin accounts. Most every SAML offering I have encountered offers stronger alternatives, such as TOTP, push-notification, passkeys etc. and the option to disable SMS in our own SAML IdP instances. The part I do not understand is why the SAML-as-a-service providers have not yet made SMS disabled-by-default.
That said, we need to be careful to not vilify SMS too strongly because the true enemy is plain passwords, holding about 90% of the authentication "market share". Here is an interesting article that makes that point.
Twitter provides an interesting use case. Last month they discontinued SMS for 95% of their users. Prior to the change Twitter reported the following stats. It will be interesting to see how they change in the next report (if it does not fall victim to the "chaos" occurring within Twitter).
2FA Usage
2.6% - Percentage of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.
Types of 2FA
SMS: 74.4%
Auth App: 28.9%
Security Key: 0.5%
Breakdown of 2FA methods by percentage of account that have each enabled (Note: accounts can enable multiple 2FA methods)
