Home > Blockchain >  Why shouldn't you allow phones to be used both for password resets and multi-factor authenticat
Why shouldn't you allow phones to be used both for password resets and multi-factor authenticat

Time:09-27

I'm going through the User Pools setup process and there's the following sentence under the MFA and verifications page:

We recommend not allowing phone to be used for both password resets and multi-factor authentication (MFA).

What's the reason behind that recommendation?

CodePudding user response:

If the password reset and MFA are both sent via SMS, it's not true MFA. You want MFA to be configured on a different channel so an attacker who has your phone or SIM cannot reset your password and get an MFA code.

Page link:https//www.codepudding.com/Blockchain/556503.html

Prev:Get the 403 when using auth token authenticate for the PowerBI REST API
Next:Dynamic dispatch based on Enum value
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding