Is it really safe to verify identity through SMS verification code?

I was invited, but it's okay anyway. Tell me in detail:)

The important thing is that, as many people have pointed out, there is no absolute silence. You told me that xxx was silent, which just shows that the threats and injuries are within the scope of responsibility. As for the degree of "responsibility", it is difficult to define, it takes a lot of time and more consideration of feelings and emotional factors. From another point of view, it can be said that in the face of the identified hazards, if the investment in protection will be higher than the approximate loss, it can be considered "acceptable".

Back here, let's change the topic: can identity verification through SMS improve silence? The answer is clear, yes. There are three ways of identity authentication: you know, you have and you have. As usual, passwords and passwords are classified into the first category (as you know), holding token certificates is classified into the second category (as you hold), and biometric features such as fingerprints and irises are classified into the third category (as you are inherent). Due to the different difficulty of acquisition/forgery, it is generally considered that the quietness of the first category is worse than that of the second category, and the second analogy is worse than that of the third category; However, it must be understood that if only one of them is considered weak authentication, two or even three must be used independently to be considered strong authentication.

Ordinary applications, such as e-mail, use passwords or passwords as the first authentication, while SMS verification code is used to provide the second authentication. In the silent setting, a well-done system will require two authentication methods to modify the key at the same time, that is, log in with a password, and then modify the key information such as the registered mobile phone number, which requires the previous mobile phone to absorb the verification code first; After you get the mobile phone, you should not be able to log in to the account to modify all the information, otherwise it will crush the direct independence of various authentication methods and then crush the silence of the system.

At this time, you and I will turn to the title, and we will know that in the absence of planning defects, SMS authentication is added to code authentication, which makes both the first and second authentication used. This is strong authentication. When the password setting is reasonable (strictly speaking, you must use random numbers, but at least don't use 123456) and the SMS verification code system is reliable (it will not be copied and eavesdropped), the mute is completely guaranteed. Even if either of these two authentication methods is finally shattered, silence should be fine in the face of the same common threat. In this way, you can give the subject a clear answer: yes! Is there a better way? Considering the cost and practicality, it is probably not available at present.

By the way, with the improvement of skills and the change of control methods, the authentication method that was originally the third type is likely to weaken into the second type, and the second type is likely to become the first type. The authentication methods that were originally independent of each other are likely to be involved carelessly. Like all silent systems, the plan verification system must be very vigilant and fully consider various environments; At the same time, we must always be careful The price of all silent investments lies in protection, and the cart before the horse must not be put.