eBay

networking_geek · ‎02-23-2023

When will you recognize FIDO2 with PIN as two factor in and of itself, or at least allow an OATH-TOTP compliant 2nd factor?

Every other site that uses FIDO2 security keys with PIN recognizes that's two factors (something you have + something you know). That means you can still have two-factor enabled for the account, preventing someone from signing in with just a password, but you don't have to receive a text message with a code when using your security key and PIN. (also, modern sites allow an OATH-TOTP second factor instead of SMS text, which is grossly insecure and limiting).

With eBay, the ONLY second factor available is a text to one number. If two factor is on, you cannot get in any time you have a dead-battery/missing/left-at-work-for-the-weekend/broken phone. Even with a security key + PIN - the most secure authentication in the world - you can't get in without a text. If you want reliable access to your account, you have to completely turn off two-factor, and then the security key works, but so does just a password, which is insecure.

When will you develop a proper 2FA system in line with industry standards and best practices (which highly discourage, not mandate, SMS texts as a factor)?

eburtonlab · ‎02-23-2023

This is a user forum; eBay is not here.

Only eBay can answer your question and eBay does not publicly discuss security issues in general or anticipated security changes.

networking_geek · ‎02-27-2023

Of course they don't! Why am I not surprised? Oh yeah, because companies that literally mandate things the National Institute of Standards in Technology (NIST) have deemed insecure generally don't like to draw any attention to the fact that they do that.

There are 3 reasons SMS is discouraged:

1. People can't get at your authenticator app by stealing your SIM card, and hard resetting your phone will wipe it - either of these things, however, will result in the ability to receive texts at your number without knowing your screen lock, as long as they had physical access. USB security keys also have their own PIN.

2. SMS text doesn't necessarily mean a second type of factor ("something you have") is required. Many phone carriers let you SMS from a web browser as your phone, so it doesn't really tie you to hardware.

3. Due to fear of anticompetitive practices charges if they make it difficult, security for porting numbers out isn't what it perhaps ought to be. Cybercriminals have a fair success rate at porting your phone number to a new prepaid line and completing MFA if it's just a text, since it's tied to a phone number, not a piece of hardware.