Increased security. Wonderful. I use 2-Factor authentication in almost everything that supports it, and it’s a great to see that the Blink team is thinking about these things.
Now we find out about the implementation: You are required to put in a phone number for SMS or voice calls. People are accustomed to this, but it’s a terrible and poorly-considered choice for this application:
- What about households with multiple people accessing the same Blink system? The account is bound to just 1 phone number, so what happens when some other person needs to do 2FA?
- What happens when I’m traveling and have a foreign SIM in my phone? Or let’s say I’m in a country where my phone doesn’t work on their network? Sooner or later, I’ll need to login or set up Blink again on my phone for one reason or other.
- The use of phone-based 2FA just opens people up to SIM-swap fraud. Criminals can scam some worker at the phone company, to steal your phone number, and then they will have access to your Blink 2FA codes. Good luck preventing that one.
HOW TO FIX IT - Blink should have thought this through better, and also enabled an app-based solution:
The 2-Factor Authentication should use the same app-based approach enabled by Google, Amazon, PayPal, Discord, DropBox and many others: The TOTP apps such as Authy, Google Authenticator that securely generate codes on your phone, without the need for a phone signal, let alone working phone service.
Dear Blink Team, please re-consider your approach to 2FA. The current setup is just a mess of problems, complications and security holes waiting to happen. Please let responsible users take control of their own security. As a general practice, you should never link anything important to a phone number, since you are just handing over the keys to network operators who are, at best, bumbling and bureaucratic, and at worst, incompetent.
Thanks for reading.