<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>2fa on Rishipal Yadav · not your CISO</title><link>https://rishipalyadav.github.io/tags/2fa/</link><description>Recent content in 2fa on Rishipal Yadav · not your CISO</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Rishipal Yadav</copyright><lastBuildDate>Sat, 18 Feb 2023 00:00:00 +0000</lastBuildDate><atom:link href="https://rishipalyadav.github.io/tags/2fa/index.xml" rel="self" type="application/rss+xml"/><item><title>You Must Remove Text Message Two-Factor Authentication</title><link>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</link><pubDate>Sat, 18 Feb 2023 00:00:00 +0000</pubDate><guid>https://rishipalyadav.github.io/posts/remove-sms-two-factor-authentication/</guid><description>&lt;blockquote&gt;&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://notyourciso.medium.com" target="_blank" rel="noreferrer"&gt;not your CISO&lt;/a&gt; on Medium. &lt;a href="https://notyourciso.medium.com/you-must-remove-text-message-two-factor-authentication-df0b43e55e5d" target="_blank" rel="noreferrer"&gt;Read the full post →&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;&lt;p&gt;Last night, just before I went to sleep, I decided to check Twitter. The first thing I saw was the announcement that Twitter was removing SMS-based two-factor authentication for non-Twitter Blue users. The reaction was predictably split — some celebrated, some panicked.&lt;/p&gt;
&lt;p&gt;Both reactions missed the point.&lt;/p&gt;
&lt;p&gt;SMS-based 2FA is not secure. It is better than a password alone, but SIM-swapping attacks have made it a weak link that sophisticated attackers exploit routinely. The Twitter decision — however poorly communicated — is directionally correct. The question for security teams and individuals alike is: what replaces it?&lt;/p&gt;</description></item></channel></rss>