Open ryankurte opened 7 years ago
nzkarit
commented
7 years ago If it is existing most probably better than nothing.
If it is being added/a new feature should be using a better solution (and cheaper solution in long run, given how many times I have logged into my bank it would be cheaper to buy my a U2F).
Does pose a risk of adding a false sense of security.
ryankurte
commented
7 years ago If it's /only/ a second factor, recon it's net positive.
The worry I have is that if the implementation falls back to SMS (or voice) for password resets or anything else it's kindof worse than not having it.
nzkarit
commented
7 years ago Agree with that last point if SMS/Voice is used as part of the of password reset, confirmation when ring, etc shouldn't be a second factor.
Positive: still a second factor Negative: another route for social engineering, "proof of account" if incorrectly handled by the bank.