Neil Brown

The Solicitors Regulation Authority has implemented MFA for its website, but uses only SMS-based TOTP.

So much for me bothering to give feedback when they asked about it...

1+
Neil Brown

It's even worse than I thought. You can give *any phone number you like*. As long as you can receive SMS / answer calls at it.

So I logged in with my username and password, and then gave a phone number. It called me, I pressed #, and it authenticated me.

But next time I can give a different phone number.

What is the point of this?!

1+
Karl Austin
Follow

@neil that's some serious . How did anyone think that was an improvement over just user and password) "please prove you have access to some form of phone number"

· · Mastodon for iOS · 0 · 0 · 1
Sign in to participate in the conversation
Tweep.uk

A server for those involved in the web: Developers, Designers, Coders, Server Providers etc.

Resources

Developers

What is Mastodon?

tweep.uk

More…

v3.5.3 · Privacy policy