Hello, welcome to the Wednesday, August 4, 2021 edition of the Sandcent,

Internet Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from

Stockholm, Germany. Well, first of all, on the Internet Storm Center, I wrote up a quick

diary about some issues I've seen with two-factor authentication. One problem I want to

point out here as part of podcast is where the password reset only requires the token. So

that really reduces it back to one token or one factor. If you're losing your token,

an attacker could easily use that token to reset

your password and with that gain full access to the account.

Having two factor authentication and having like in this case a physical token will make an attack

more difficult if the password is weak, but doesn't mean that you should

just give up on passwords.

And the rest of it really comes down to that how you're implementing two-factor authentication.

If you're implementing it really depends a lot on the risk that you're trying to protect

against.

Of course, something like an online banking application should be better protected than like your average e-commerce application or a blog post site.

At an issue, I pretty much see as unsolved as sort of good guidelines, good practices on recovering from a stolen or lost

second factor like a hardware token. I haven't really seen an implementation here that I really

liked. And second diary was today really a bit more on the lighter side and that's a real

sort of crazy

SMS that I received, the claim to come from a doctor that was going to perform some surgery

and asked for all kinds of details, including pictures.

I'm 99.99% sure that this is not a real doctor who just got the wrong number,

...