>If you believe that "everybody uses unique passwords" is achievable then Tavis is 100% correct and SMS-2FA achieves nothing.
This doesn't seem to follow. As the previous poster called out, if I have unique passwords, SMS-2FA makes me safer than not having it. If someone (let's say Bank of America) has their password database leaked, then an attacked can immediately log in to my account with a unique password.
If I have a unique password + SMS 2FA, the attacker has to compromise SMS to log into my account - a slower process that gives me more time to be informed of the leak and change my password.
But is that true? The hacker got the pw database somehow. So it isn’t a given that they need your sms to impersonate you, since they clearly have breached the system already.
> So it isn’t a given that they need your sms to impersonate you,
Correct. It's possible the entire system is compromised. It's also possible the entire system is not compromised, and the data breach happened without the target institution losing control of their systems.
> since they clearly have breached the system already.
No, not necessarily. Someone could, say, export the contents of a database and put it somewhere public. A data breach is not necessarily the result of hackers getting total control of the target.
This doesn't seem to follow. As the previous poster called out, if I have unique passwords, SMS-2FA makes me safer than not having it. If someone (let's say Bank of America) has their password database leaked, then an attacked can immediately log in to my account with a unique password.
If I have a unique password + SMS 2FA, the attacker has to compromise SMS to log into my account - a slower process that gives me more time to be informed of the leak and change my password.