Just wondering if anyone knows if Public Mobile has plans to implement two-factor Authentication (2FA) to the Self-Serve My Account login anytime soon?
Like either a code sent to text message, code sent to email, or an authenticator app?
It seems like a basic security measure these days.
Solved! Go to Solution.
Would help avoid all the sim jacks.
Not really. If the attacker already knows the SIM ID, the phone number, the email or password or PIN for the account, and/or "three pieces of private information to confirm identity" then theft of the SIM, the phone number, and the account can proceed anyways.
The only thing 2FA (through the customer phone number) would accomplish is make it easier for the thief to "prove" identity while making it harder for the victim to prove identity - because the victim isn't even aware of the theft until working phone service has been fully transferred to the thief's phone. Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.
Putting an extra deadbolt on the front door doesn't add any real security if the backdoor is always left unlocked.
@Korth Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text?
Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.
For Mobile Services not just Public Mobile, 2FA probably has to be using email, a third-party authenticator app or a hardware key. Email would probably be cheapest.
Would be nice to have extra layers of security, for sure.
Meanwhile, I'd strongly suggest to use a secure password generator for all your accounts. I use Lastpass so it works across platforms, but if you have Chrome or Firefox, those can now auto-generate secure passwords too.
Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text?
Think about it from the thief's perspective. The mental exercise of what you would do to "steal" your own account and phone number.
If you couldn't login to your account - forgot your password or whatever - then how would you prove your identity to PM? What information would you need to provide, and how could others obtain that information?
And without some sort of physical identity confirmation - face-to-face and photo ID check, etc - how can PM truly know that a person on the internet is actually who they claim to be?
(I'm ignoring technical "envelope metadata" like IP addresses, etc. We are not obligated to login from our own devices or home networks, we don't need to use uniquely-fingerprinted hardware or software, we can even use technical things like IP masking and TOR clients and VPNs to retain legal anonymity. And if we have those abilities then so do tech-savvy hackers and thieves.)