·
Added a discussion

Hi all,

In my humble opinion, the 2FA implementation needs some improvements.

Once enabled, it brings up a form with a pre-filled field, where the current mobile number is displayed in full - which is bad practice. More concerning, the mobile number can be replaced - meaning that if a user's password has been leaked, the hacker can easily change the registered number and log in. I just tested this theory, and I could log in to the account.

Within seconds, I could also change the password and get hold of the account completely.

In a real-world production scenario, this isn't good (to say the least). Add to this that SMS is looked at as a weak solution for 2FA, and we're having a problem.

Implementing authenticator app-based 2FA should be a priority, as well as email-based. Users should have multiple choices to make the platform secure and useable.

Any thoughts?

  • 1222