Is 2 factor authentication really that secure, or is it just a ruse by sites to get to your phone???

Sounds secure enough to me, adds different type of security layer and I don’t think they would stoop down to sell your phone number.

@aviophile the security part is okay, definitely worth having, but I wouldn't put the phone number thing beyond them

2FA doesn't require a phone number, it's something you know and something you have, Google authenticator on your phone doesn't connect to the remote service or give them any information.

@atheist good to know

both, jokes on them I use burner phones, nsa is always listening dude

if you use sms as second factor then no.

@coffeeholic yeah I see how that would work

@EpicofGilgamesh you can use open source topt auth software

@coffeeholic will try it

@coffeeholic how does sms not require a phone

It's fine

@electrineer it requires a phone number

it's much more secure, although it hurts the user experience

@darksideofyay totally, especially when the message doesn't show up

@electrineer I commented on the 'is really that secure' part

In level of effectiveness

1) SMS
2) Authenticator app (TOTP / Push notifications)
3) Hardware based (yubikey, smart cards)

An sms can be intercepted, or worse your phone number can be ported to a new sim depending on the telco and their lack of security measures, this is also the easiest to implement from a user perspective.

TOTP if done right, only allows a 30 second window for a code to work, now... if done incorrectly some implantations allow around 1-2 minutes before and after the current time, increasing the attack range.

Hardware, well someone has to find it to use it.

@C0D4 yeah 30 second thing,

@EpicofGilgamesh by choice, I would use TOTP before sms. There's a shared secret key behind the scenes and a time based formula used to generate the 6-8 digit codes.

It's easy to implement but there's a level of trust of the app having it actually setting it up correctly.