Open ryankurte opened 7 years ago
If it is existing most probably better than nothing.
If it is being added/a new feature should be using a better solution (and cheaper solution in long run, given how many times I have logged into my bank it would be cheaper to buy my a U2F).
Does pose a risk of adding a false sense of security.
If it's /only/ a second factor, recon it's net positive.
The worry I have is that if the implementation falls back to SMS (or voice) for password resets or anything else it's kindof worse than not having it.
Agree with that last point if SMS/Voice is used as part of the of password reset, confirmation when ring, etc shouldn't be a second factor.
Positive: still a second factor Negative: another route for social engineering, "proof of account" if incorrectly handled by the bank.