SMS's and calls over cell phone networks are known to be vulnerable to spoofing and interception making them unsuitable for 2FA. As a matter of fact there have been high profile media reports of attacks against social media accounts and online banking that took advantage of said flaws.

On 30 Jun 2017, at 19:14, "Ngigi Waithaka" <ngigi@at.co.ke> wrote:

Mark,

On a security vs affordability basis, how exactly would SMS 2FA not be an effective solution?

Unless you are going to hack the Telco SMS Gateway where the SMS is in clear txt, in which case I would think even our M-Pesa Pins would be vulnerable, where else is do you have a credible attack surface?

Rgds

On Fri, Jun 30, 2017 at 3:25 PM, Mark Kipyegon via kictanet <kictanet@lists.kictanet.or.ke> wrote:

SMS as a form of 2FA is unsuitable considering the sensitivity of such information. On the other hand a government backed smart card would offer the appropriate level of authentication without locking out access to a section of users.

On 30 Jun 2017, at 12:30, "Denis G. Wahome" <dwahome@gmail.com> wrote:

Mark,

While I do concur completely with your observation. I was considering the user group for the service. Other more advanced mechanisms would reduce the usability/accessibility by a large portion of the Country.

A better way would be a registration process to access your records where one can select a Channel for 2FA

Denis

On Fri, Jun 30, 2017 at 10:54 AM, Mark Kipyegon via kictanet <kictanet@lists.kictanet.or.ke> wrote:

SMS is not a secure implementation of two factor authentication.

On 30 Jun 2017, at 10:40, "kictanet-request@lists.kictanet.or.ke" <kictanet-request@lists.kictanet.or.ke> wrote:

>
> A simple 2 Factor Authentication mechanism via SMS would suffice to start
> with.