GitHub removes SMS as a factor for step up
This announcement from GitHub is welcome. SMS is a problematic form of multi-factor authentication (MFA), and should be avoided. There are a couple of problems with it:
* It is vulnerable to social engineering attacks via spoofing or sim swaps
* SMS is not encypted end to end
* Attackers have a variety of options
However, for customers, SMS is easier to understand and configure than other common additional factors, such as TOTP methods using Google Authenticator, which is why it continues to be used by large apps like Mailchimp.
As technical professionals, GitHub's users are more likely to be able to use other methods, so the deprecation of SMS as a method is less risky, but still welcome.
Dan