Sites without Hardware or Software Token need a Poke option

[kilimar]

• I have searched open issues and pull requests. The issue I'm creating is not a duplicate of an existing open issue or pull request.

Information about the feature to be added:

It has been discovered in recent years, SMS and Email are not as secure as they used to be and while 2FA using these two methods are more secure than NOT having 2FA, it is much more seucre to implement Hardware or Software tokens. For service providers that offer either of the two (SMS and/or Email), there is no longer an option to 'poke' the provider into providing a more secure 2FA method (H/W and S/W tokens). On such sites, there should still exists the poke option, "Tell them to support 2FA" but details to implement more secure H/W and S/W 2FA instead of less secure 2FA.

Additionally, sites which offer H/W or S/W which falls back to SMS or Email should STILL have a poke option. Additionally, instead of a ! triangle next to the service provider, the ! triangle should be in the column (where the checkmark currently is located).

With regards to "Phone 2FA". Not sure how secure or in-secure Phone 2FA is. Additionally, some sites now offer Voice Verification (ie: Vanguard and Fidelity), although, it might only be "call in". Unsure how to indicate voice verification feature on https://twofactorauth.org.

SOURCE: NIST Special Publication 800-63B (summary: don't use SMS or Email for 2FA or out of band verification)

[leggomyinfo]

An option to poke sites with sub-par or less-than-ideal 2FA might only make sense if/when a grade system is implemented (see 2factorauth/twofactorauth#4308 and 2factorauth/twofactorauth#4531): "Tell them to improve their grade!" @Carlgo11 has made the case that it's misleadingly oversimplified to treat any 2FA category as per se more/less secure than any other; it requires a continuum (e.g. A-F) that accounts for multiple variables of an implementation. (Correct me if I got that wrong!)

Regarding distinguishing voice verification from a code read in a phone call: I think this bolsters my argument for consolidating "SMS" and "Phone Call" into "SMS/Call" (see #16). That would create room for "Voice Verification" (or something broader like "Biometrics").

Additionally, instead of a ! triangle next to the service provider, the ! triangle should be in the column (where the checkmark currently is located).

Great idea! Two suggested tweaks:

1. I think the warning sign would also need to be able to appear where it currently is for exceptions that apply to every 2FA option for that site.

2. The warning symbol should be yellow instead of red. I think that change would be beneficial now, but it would be especially important if the symbol also appeared in lieu of a checkmark. The color red conotes something is wrong which might be even worse than not having a checkmark in that column. That would be unfair to those companies and counter-intuitive for users.

[kilimar]

I wanted to update this issue with some new information. SMS 2FA is a LOT more insecure than I originally though. The TLDR version is that anyone can sign up with a service that will intercept SMS messages. All they need is a Letter of Authorization or in some cases, just "check box" that you have a LOA on file and you can start intercepting SMS without the owner knowing anything is happening. And this has been an issue since 2018.

The following link is re-written article from Vice, but is shorter, to the point with some technical details: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/

I consider SMS marginally safer than no 2FA. No more 'social engineering' required and now it's just find a service that will has a "I agree by terms of use and I have a LOA in hand" checkbox and start intercepting SMS.