So, I work in telecom and dabble a bit in software.
I don’t understand the hatred for SMS 2FA on HN. Can someone explain to me why SMS is such a bad method comparative to other solutions where the practical user adoption is near impossible at scale?
At some point, software is going to need to bend to the way people work. When does that happen instead of obsessing over ubiquitous “zero trust”.
I’d love a parable of how using SMS as part of a layered security verification is somehow unacceptably vulnerable.
I probably hate it for different reasons from others on HN, but I move countries (and change numbers) and travel a lot, and SMS just isn't a reliable way to reach me. On top of that, attempting to log in to a website from a foreign country is often itself a trigger for 2FA, and exactly the moment when I'm not reachable by SMS.
This has bitten me a few times, sometimes in desperate situations. Like when I've needed to log in to Airbnb to message a host, transfer some cash from my bank account, access my frequent flyer account, etc. Far too many sites don't provide 2FA over email, or through an app like Google Authenticator - they can only do it over SMS.
Yeah, I know I could set up roaming. But it's an easy thing to forget, since I change phone numbers every couple of years (for both personal and work phones). And it's not always cheap.
It's also just a huge pain to have to go through and change every account I have, any time I change numbers. A lot of accounts that I only use occasionally are configured with one of my many old phone numbers, which don't work anymore. This usually involves a call to tech support to fix it.
I’m an Australian that was in India for the last year (just arrived back, up to day 2 of my 14 day quarantine). Anything that has needed to verify me through SMS (e.g. filing my Australian tax return via myGov, paying for things with my credit card if they used the fancy security thing, like most airlines do and Amazon apparently does, and logging into one or two things) has required me to contact my parents to turn on and check the old phone I left with them, because roaming for a year is expensive and otherwise pointless (I barely use a phone), but transferring my number to a prepaid Amaysim SIM let me keep it alive and mine for the year for $10.
Actually, the myGov thing was a real piece of work. They offer secret questions as a second factor that you can opt to use instead of SMS codes (and yes, secret questions are stupid), but when I did that, it silently unlinked my Australian Tax Office account. I tried to link it up again (a bit of a pain in its own right), and it told me that ATO has decided that it won’t let you link it up if you use secret questions as the second factor technique. Seriously. So I had to switch back. Oh yeah, they do also have a third option, an app of their own that can generate codes (not TOTP), but that app had something like 2 stars on Google Play Store, with many reviews saying it didn’t work at all, so I didn’t even bother trying that.
When I’m in Australia with my phone handy, SMS verification seems not too bad, but when out of the country and not roaming, it may vary between very inconvenient and completely debilitating.
It never occurred to me to seek such a thing. As I wrote my earlier comment here, I wondered to myself whether there might be an app or service to help with this, but it’s too late now. But even then, I’m not sure I’d want to leave a phone plugged in all year, even with its battery removed.
I'm surprised to see people here treating SMS "2FA" as anything but some snake oil annoyance to be worked around. I setup mine to go to a VOIP number where texts show up in email. I have plans to write something that looks for these messages and spits the code to a terminal or XMPP. My goal is to get that code into my paste buffer as quickly as possible.
If you're using a password manager and have a security model that includes trusting your own computer, you really don't want the snake oil. In fact with US bank accounts, "2FA" steps make your account less secure, because the security of your bank account ultimately relies on checking your transactions every 30 days - anything that gets in the way of easily logging in undermines that.
> In fact with US bank accounts, "2FA" steps make your account less secure, because the security of your bank account ultimately relies on checking your transactions every 30 days - anything that gets in the way of easily logging in undermines that.
So much this, for Europe as well. Since PSD2, i cannot automatically check my bank account anymore, because of onerous and braindead 2FA requirements. And most banks do not offer a email-on-withdrawal function in any proper fashion, even their apps require regular reauthentication. But, since it is a braindead directive, you can install the 2FA app on the same phone as the bank app and have them talk to each other, thereby killing all the security benefit while still being annoying and non-automatic.
I'd advice for the excellent pulsesms app, which will let you sync you sms from your phone to your desktop.
You can read and write messages from the comfy keyboard of your Windows/MacOS/Linux laptop, even if your phone is at the other side of the world, as long as both are connected to internet.
As someone who forgets his phone regularly at home, it's great.
When I hear many reports of things flat-out not working in this way, I’m suspicious that it won’t work for me with my Samsung Galaxy J1 (2016) on Android 5.1, which Google has progressively broken by means of Google Play Services updates. As some typical examples of things that have been broken by Google Play Store updates: Fastmail notifications now only come through on wifi or (I found out last week) if Maps (by Google) is running in the foreground; and Hangouts is completely nonfunctional off wifi (can’t send or receive). It’s network-related things that are the least reliable.
I really wish I could root it or install a new OS on it, but the former has failed and even with an unlocked bootloader the latter takes much too much effort if a prebuilt image isn’t available for your specific device, which roughly means “if you don’t have a flagship phone”.
Oof yeah, if you're running an Android version that old I would not expect much to work that relies on Google services.
That said if you're out of the country a lot and going the SMS auth route, I'd personally be more comfortable with a postpaid plan in AUS for the SIM as the telcos tend to take ID requirements more seriously for those then pre-paids and you're less likely to be socially engineered out of your number.
“That old”, and yet the phone’s not even three years old (my instance of the model, that is; the model was at that point two years old and is thus now five years old). Sigh.
I said prepaid, but as I did it it’s actually postpaid but with an initial $10 prepayment required. Ah, good times back in 2014–2017, getting those bills for less than a dollar (commonly 12¢) every quarter. Then I moved to a tiny country town where an Optus tower a few hundred metres away became my best option for internet, 50/25Mbps and far more solid than any NBN anecdote I’ve heard.
Yeah the unfortunate situation of Android devices means that you may have only just bought the phone but if it isn't supported you could be running a very old OS version.
In this case I think Android 5 was 2014, so almost 7 years old a this point.
Amaysim are pretty good, Though if you can convince them to add a security note to your account its worth it
(Colleague of mine had his mobile number hijacked while on holiday and they used it to access a few of his online accounts)
Well, Android 5.1 was EOL in 2015, so you willingly bought an unsupported model. I'm not saying Android has any sensible long-term support (in fact, I spent the last weekend installing LineageOS because my 2018 phone doesn't have support anymore), but this instance is hardly Google's fault.
I think most people on HN are comfortable doing a bit of research to see when a device will stop receiving support, but I don't think that's reasonable to expect from everyone.
If I walk into a shop and buy a phone, new in the box, it seems pretty reasonable to assume that it's operating system will work with whatever apps I install from it's built in store, and that it will receive security patches for at least a few years. That seems to me like a pretty low bar, but it's absolutely not the case in the Android ecosystem.
Absolutely this. I currently have a document from my bank, that they emailed me. Which I’m suppose to print, write all my personal info on, plus a copy of my passport and FAX to them!!
All because I want to change my phone number, and I’m overseas.
Which I only need to change (or even have associated with my account at all) because they refuse to offer any other 2FA option.
Unfortunately, the only remedy to this i've found is to travel like james bond with two cell phones. I keep a second android phone with my 'back home' sim on the cheapest monthly plan possible and only turn it on to read sms codes. It really comes in handy when needing to sign up to a new service in your home country while abroad. Just don't forget to keep data roaming turned off
Newer phones have a second virtual e-SIM slot. Very handy when you're travelling. You set up your normal number on the e-SIM, and then you buy a data-only phyiscal SIM at the airport.
This is why I switched over to a VOIP number instead. SMS works everywhere I have internet, and if I have to I just pick up a data-only sim card for wherever I am. Can even check my messages online. Probably not as secure, and wouldn't work well if I was regularly calling people, but for the most part it works fine and costs $1 a month.
Why don't you just get a dedicated "virtual" phone number for this purpose? It's not expensive.
Skype is an obvious choice, but there are many other providers.
Then you have a stable number and can read SMS via app web UI.
I switched to the same method a few years ago. It's useful even if you don't travel much, just to not tie 2FA to your phone and for not giving all those services your real number.
I have two virtual (US) numbers - one through Twilio (which I've enable short-code receive support for), and one on Google Voice.
Both have failed to receive 2-factor messages from providers over the years. Very occasionally the Google Voice number is blocked explicitly by the provider as a VOIP number. It's just not a reliable 100% replacement for "real" SMS in my experience.
Google Voice is close to acceptable as a replacement, and it's my primary 2-factor number when it works, but it's not 100% for reasons outside of my control.
You presumably do have a "home" country in the sense of where your bank accounts are, get a cheap permanent sim/phone no with roaming, buy the tiniest phone you can off amazon and stick it in as your 2factor permanent number.
Yes, you have to keep that phone charged, but your problem is now permanently solved, it's how I did it.
SMS is not secure, that's why. Police have used special devices to intercept messages on a broad scale without any warrent, which means individuals can too. Service providers are well known to send "replacement" sim cards out to people who then use it to access 2FA accounts. Happened to H3H3 on YouTube.
Phone numbers in general are insecure. There is no enforced verification system - people can receive calls from their own phone number, and people can fake the presented numbers. There is such a significant amount of spam callers as well. The FCC doesnt care.
The entire phone system in the U.S. needs to be remade with security, but powers that be really don't want that.
SMS is not properly encrypted over the air, GSM and UMTS encryption is broken and often misconfigured anyways. There is no way to check and no guarantee that a SMS will be transmitted in a safe encryption protocol, i.e. no way to force LTE. And given the level of brokenness in GSM and UMTS, I wouldn't rely too much on LTE or 5G crypto being worth anything. End-to-end encryption isn't provided anyways.
Also, phone numbers are not terribly secure either. The control protocol for mobile networks, SS7, is a steaming heap of excrement without any consideration for security. There are numerous ways to redirect SMS and calls into the hands of criminals, which have been demonstrated over and over by researchers. Also, this is regularly being abused by the police, secret services and criminals. As a customer, you are completely at the mercy of the phone network to do the proper mitigation dance because SS7 is inherently broken and cannot be fixed, just maybe firewalled off (a little, but not too much...): https://attack.mitre.org/techniques/T1449/
Then there is a whole lot of social engineering cases to take over numbers and SIM cards which others have described nearby.
With 2FA via a proper app or even open protocols like TOTP, I can verify and trust much more of the auth flow. Properly done, I only need to trust the endpoints and (maybe, if used, with TOTP even that is unnecessary) the TLS connection. With SMS, I need to trust a whole lot of telcos between the endpoints, their firewalls, IDSs, (mis-)configurations, all their service providers and their employees not to fiddle with things. And actually, all of the aforementioned have repeatedly proven untrustworthy by using broken, outdated, and known-to-be-insecure technology.
SMS 2FA costs money per message. It's also subject to telecom rules -- you usually need to buy short codes by geography if you're sending at scale, and that involves dealing with bureaucracies at scale, too. Getting a short code can take weeks and cost thousands of dollars. Of course you can always pay to have other people do that management for you. But you're going to pay, nonetheless.
Then you have to worry about fraud, and whether telcos in <random country> have been hacked, or are corrupt, and are leaking messages to bad guys.
I've seen entire (small) countries drop out, too. Usually the way you find out about this is that support notices an uptick in users in <smallish country> complaining about not getting messages, or you notice that the entirety of some geography isn't successfully completing the transactions you tried to protect with SMS. Er, you did consult the (changing) prefix database and phone number parser to (semi) reliably determine a geography from a phone number, right? Isn't parsing phone numbers fun?
It's fractally terrible and expensive, and I haven't even talked about APIs yet.
This is only because the telephone cartels control the networks. The same is more or less true of Internet. Operators have advocated for anti-open-wifi laws across the globe so they can sell their internet access plans (xDSL/3G), when we could have free networking for all in all places.
Seriously though, why couldn't we have FREE privacy-friendly networking as a public service?
Here you have to buy access to certain frequency ranges(big money required). The bidding happens from time to time. Building the network infrastructure is not cheap either and requires specialists to work for you.
I'd rather buy that 4G from a company that can deliver it everywhere I go than move backwards in progress to use some random WIFI hosted by Joe that fights over the same frequency as John's across the road.
The "cartel" networks work pretty good tbh. They just have stagnated in everything else but networking.
There are several methods of hard and soft attack which are stupidly easy where ability to temporarily capture your phone number is the only necessary authentication factor.
SMS isn’t used as an additional layer but the only necessary layer to “recover” an account.
This is not emphasized enough. Many companies enable SMS both as a second authentication factor AND a single-factor account recovery mechanism.
As bad as passwords, savvy users can use a password manager and generate unique high-entropy passwords, but if the web site is forcing SMS on you, you lose all that security and now have to rely on vulnerable telco infra that is out of your control and was never built to facilitate authentication.
Pro: SMS 2FA is better than just passwords. In practise 2FA is primarily a hedge against credential surfing, with its other security properties more theoretical than practical, and it mostly works good enough for that use case. (Perfect is the enemy of good)
Con: there's lots of attacks related to social engineering the telecom into transfering your phone number. Real people have been compromised this way albeit this attack is pretty targeted.
There is also some concerns about evesdropping/mitm attacks. This is pretty unrealistic in my mind. If you're an on-path attacker for someone's cell phone convo that implies you have direct access to the victim, so the victim is pretty screwed regardless.
So in the end its a usability vs security tradeoff. Its a pretty close tradeoff so its not exactly a slam dunk in either direction.
No it's not better, it's worse. Because with SMS 2FA, you can most times reset the password and then everything is lost. With just a password and no SMS 2FA you can't just reset the password so easy.
> Email is hardly beter than sms, and we do password resets over email.
Email is certainly far more secure. Consider the steps an attacker would need to do to be able to intercept an email being sent from the service being accessed (say, your bank) to your email server provider.
"Email is hardly better than SMS" is an absurd claim. As has been written SMS is not secure, easily hijacked, and potentially transmitted in the clear.
By contrast email can be made arbitrarily secure nowadays via e.g. DANE/STS-MTA, and it's entirely up to an email provider how secure mailbox access is.
Saying that "email is hardly better than SMS" when the former can be secured via DNSSEC/DANE and where the mailbox can only be accessed by me over an SSH tunnel is truly laughable. In fact since sites which demand phone numbers seem to have some completely baseless idea that the phone number is somehow more "secure" than email, often adding a phone number will enable phone number-based recovery methods which therefore actually reduce account security.
"mailbox can only be accessed by me over an SSH tunnel"
Thats basically fantasy territory for an average user.
If you consider the real world" abundant phishing, etc. then you will realise that in practice there is very little daylight between them.
While a password+SMS 2FA would be better than just password, the problem is that SMS often gets also turned into a single-factor password recovery mechanism; and SMS alone is worse security-wise than a decent password.
Its from the perspective that most users are bad at choosing passwords. We've been trying to get the average user to use distinct high entropy passwords for decades and it hasn't worked.
Imo, if people used passwords correctly, all common 2fa solutions other than yubikeys would be useless.
The latest is the most severe, in summary - a gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.
So if you insert SMS 2FA in your security chain as a fallback authentication method, you're leaving it wide open to exploits and none of your other 2FA security like TOTP or tokens matters, because the attacker can just take over a customer/admin account using the SMS authentication to prove they are the user concerned then change those methods. In some cases you'll require an email as well, and in some you'll manage to send an email to that old email address before it can be changed, but many places don't, particularly mobile apps tend to rely on the phone number, and most people don't monitor every email address 24/7, so lots of damage can be done in a short period.
SMS really needs to be fixed and it's really debatable whether it adds security or subtracts security in the meantime, even in a layered approach.
One of my accounts requires a phone number to verify every single time I login. I have no clue why, and it accepts absolutely any phone number.
I have no clue what the purpose is aside from forcing me to give sensitive information to other people when my phone isn't available or I'm traveling (which I've been forced to do already).
In russia it is common for authorities to temporary switch phone to another sim card, then switch it back without user even noticing it. This method was widely used to target dissidents and access their accounts.
To sum it, 2fa via sms gives only an illusion of safety.
Beyond it being insecure, I see it used too often as the only alternative to yet another proprietary MFA app.
Like Microsoft Authenticator. It wanted way too many permissions on my phone, and provided less security than my Yubikey authenticator. My yubikey provides a standard open OTP but requires the device to generate it (phone tap or plugin via USB to computer or phone).
Open standards are better. I don't want a different authenticator app for every website. It's so much simpler to use a single app.
Oh nice, I just checked my account and it has the option now. It didn't when I last looked a couple years ago. I'm glad they added this.
Thanks for the heads up!
Still, the principle stands for a number of other sites. eg, Steam (using their app or email), Twitch (authy or bust), etc. I'd rather use an open standard than be limited to a custom or specific authenticator.
Probably the SIM porting attacks, where telco employees are vulnerable to being socially engineered to letting an attacker port your phone number over to another device. Also this new attack, which is more stealthy.
In all countries, you have but to prove to some lowly paid telco employee's satisfaction that you are the owner of the number. That is not a serious impediment.
Same here (Denmark with Hi3G), but they often forget. I've had a new SIM issued for myself just by saying the phone number.
Of course that's several orders of magnitudes harder to do than just finding a leaked password somewhere, so it's still nice to have SMS as 2FA compared to nothing. It'll stop the mass bots.
Or even porting accidents. If anything goes wrong when you are switching carriers and intentionally having your number ported to the new carrier, you could be left with a non-working number until you get it resolved (which can be difficult because your phone is no longer working...).
And even if nothing goes wrong, it can take up to a day for the number to port in the US. That's a day without being about to login to anyplace that requires SMS 2FA.
A TOTP app on my phone, on the other hand, works fine regardless of whether or not my phone number currently works with the SIM in that phone.
Some countries resolve the porting issue by having a list of numbers that have been ported, so that banks (for example) can check that and not rely on it if the port happened in the past two weeks (also, for example.)
SMS is fine for 2FA for Reddit. It's not fine when it protects things that have financial repercussions. But that's when we actually need strong 2FA.
It's been proven time and again that cyber criminals frequently target people using SMS 2FA to steal from them. Most implementations of 2FA might as well be 1FA. People might even use worse passwords when they think 2FA protects them.
I think the adoption of SMS as a "universal 2FA" was not worth it. We should've just gotten people used to the less easy but more secure methods. U2F bluetooth keyfob on my keychain would be good enough for my phone and PC. Remote access seems like the hardest nut to crack.
You never own the number. It could anytime go to someone else without notice (most contracts contain that line) and if you do not pay for only a few months its very likely someone else suddenly gets your 2fa.
SMS is completely insecure. Not only can it be passively sniffed along the way, not only can malicious actors reroute your number, not only can pretty much any employee at your telco access it, not only can pretty much any employee at your telco get tricked into rerouting it, but by default (and therefore for the vast majority of users), it'll show up while the phone is locked!
It's equivalent to taping your key to your back door. Sure, someone has to go to your back door first to see it, but then they're in.
SMS 2f is only used to collect phone numbers. There is already an open standard called TOTP that people can use, and which requires no special access and isn't locked to any PII.
I don’t think anyone hates SMS 2FA in general, just that it is susceptible to MITM attacks (snooping/interception) than other solutions (device, key, app) as is made clear in this article.
I note, however, that this attack seems to only be possible on VOIP routable numbers, and it’s my experience that banks, etc, will not allow you to use VOIP routable numbers for 2FA. That’s definitely not the case for a naive implementation of sms 2fa as would be done by likely any dev using Twilio, etc.
SMS is not at all secure. My first out-of-uni programming job was working on SMS value-add services for mobile networks (mostly anti-spam, anti-fraud, anti-spoofing type stuff and roam steering, but also parental controls and other stuff). It was crazy what weird things we could bend the network to. Obviously, our services ran on the network itself, so had more access than a typical end user, but the protocols have zero built in security, everything on the network was totally open, spoofing is trivial (we could detect much of it with our software, but definitely not all -- mostly all we could do was consistency checks, but if you carefully crafted a fake packet, there's nothing we could do). As others have stated, the over-the-air encryption is often.. not good.. so getting access SMS like we had seems very possible. And since its not end-to-end encrypted, a bad actor within the network could also trivially access messages (we could! we even intercepted some of our own messages for testing, it would have been a simple regex to read other people's messages).
This was ~15 years ago, but I doubt much has changed.
* the tech industry hates SMS
* there are some common social engineering and a few network level attacks that SMS allows
* it's widely deployed and supported
* it's a heck of a lot better than nothing
I think the title of the original article is a bit absurd. That's like saying "It's time to stop using passwords for security." Sure, you can say that, but your grandma will still have a sticky note of passwords next to her computer.
Defense in depth without relying entirely on the user to secure their systems makes a lot of sense to me.
Ban SMS if you aren't worried about adoption of MFA (for example, because you are a corporation and can mandate TOTP). Otherwise find ways to work with it.
As the article explains, SMS is just plain insecure. So attempting to rely on it for MFA is worse than nothing (worse, because it allows attackers to lock out legitimate user).
Ignoring security (not that we should), it's just a massive pain from a pragmatic point of view. As others note, right when an SMS MFA is triggered is most of the time when I can't receive an SMS, so everything breaks when I actually need access.
Much easier solutions exist today at more convenient adoption at scale, like email and TOTP.
TL;DR: my mobile phone number (not the phone itself) was hacked, then my Twitter account. The attacker changed my Twitter handle from @simon to @simonsw9kww.
I eventually recovered my @simon twitter account, after several MONTHS and several emails and calls to twitter support and friends working at Twitter.
I actually love SMS 2FA ( And the rare few on HN ). It is the simplest form of 2FA that non-tech people will actually understand and use. Unless people want to argue 1FA is better than crappy 2FA.
SMS gets hatred especially in US because of how easy it is to socially engineer their way for SIM replacement or other SMS uses. Mostly because for unknown reason US has the absolute worst MNO in the world. In other places SMS replacement requires official forms to be filled as well as physical presence. It doesn't matter whether SMS is a form of 2FA of not, getting my SIM card without decent form of protection from Carrier is wrong in the first place.
And RCS doesn't seems / want / willing to replace SMS anytime soon. Carrier have little incentive to do so. It is backed by Google which means not everyone is on board including Apple. And GSMA has no intention to make a better SMS either.
Having built a system to handle SMS for a previous employer about 10 years ago the US's fractured mobile phone system did not help back then you could not reliably deliver SMS across systems.
Unfortunately yet another example of the US's poor regulation of telecoms receiver pays is another example.
The URL is giving an empty page for me, so I'm afraid I can't really comment on the content of the article itself.
With that said, people should fear any site/service that uses SMS for anything security related. SMS 2fa is a fairly common vector for compromise.
It can be nice for a "data feed" though. Like, getting an update on the status of your delivery driver. Though, this can also be really annoying when say... your old college starts spamming you with stuff... which I got to experience this weekend at 1am. :)
Living in Germany, I don't remember the last time I used an SMS. When I was in south-east Asia I don't think I ever used SMS, it was always Line (or WeChat in China) or email. Is there a reason SMS are so much in use in the US but not in other parts of the world?
US was the last to start using SMS and will apparently be the last to stop. The US was behind the curve because it was one of the few places in the world where local calls were free so people didn't bother with SMS for a long time. As for why it's still here, my guess is that the messaging space is extremely fractured here and it's the only text messaging someone is guaranteed to receive.
US mobile plans gave enormous buckets (thousands) of SMS messages a month to mobile users 10-15 years ago, so there was little incentive to move to other mobile messaging systems.
Conversely, the lack of such generous SMS allotments in most non-US countries drove widespread adoption of WhatsApp/Facebook Messenger/etc.
In the US, most cell phone users are on unlimited voice/text plans. There is no cost to most consumers for sending and receiving SMS in the US. Also, the Line / What's App / WeChat equivalent in the US is Facebook Messenger. That is how sms has won.
The good thing about SMS is that it's standard. I live in Sweden, just about everyone has a smartphone. SMS is still common for things like package delivery notifications or other service notifications, SMS is still an option for many transport tickets, though being phased out in favor of app solutions.
SMS works whether you're on iOS or Android, it works for the few users of classic phones, it works if you don't currently have mobile data, etc. It's not a secure method of communication and has other flaws, but it's the most reliable one if you don't know anything about the recipient. Whether they're using their beloved Siemens S35 or the latest Android flagship, they can receive a SMS.
Yeah honestly, it's a shame that every one of these services (whatsapp, signal, telegram, ...) dont operate on a protocol like smtp. Its completely unnecessary to recreate a chat protocol every time it gets implemented. Here we are though, and exactly the thing you are expecting is happening, several competitors that don't interact with each other so even if I want to delete WhatsApp, I still keep it to reach family and friends elsewhere.
I assume it is a lot easier in the US. Here in Norway it is still possible as well though, there was a media showcase about it a few years ago. But that is mostly due to lack of security measures by the telco (we have a national auth method that could be used).
I don't think that's true though. Maybe you haven't SEND any, but I bet you receive a lot. At least I do: from my bank, from some of my bank accounts, from my mobile service provider, from my parcel delivery service. From Coinbase, from PayPal... The list goes on and on.
Exacly. Imagine losing acces to that number for whatever reason. Thats the exact issue, this number is now part of your security concept if you want or not.
Imagine making an account with Twitter these days without major phone provider. Twitter seriously would not accept my last sim from a small swiss provider, nether did facebook and many other services.
SMS is a standard and easy way to send/receive messages without using incompatible messaging apps owned by third parties. And the only way for me (except email) since I don't use Android or iOS.
I have a smartphone, but i usually dont have a sim card. One is not exclusive to the other. I use and need google auth and some other apps, i also like to surf on my couch.
What i definitly dont need is being reachable and available 24/7 wherever i am
I know plenty of folks using those. Most people do it by choice because the hardware is more reliable and the battery more durable, but some also do it because their planned-obsolete smartphone broke down.
It's still used a lot also in Europe for OTP codes (banking and such), as well as for shops/deliveries, where they send an SMS for order status changes (shipped from the warehouse, in transit, ...).
Since PSD2 every German bank I know moved to 2fa mobile applications instead of SMS, I expected the same for the rest of the EU. I'm quite sure that delivery company also work with emails (at least that's the case of DHL, UPS, DPD, etc, they always send me notifications via emails).
I also live in Germany. I don’t want to get some extra service tied to my phone number, so contact with people is via sms if it has to be mobile, E-Mail otherwise.
I think is because of Apple iMessage, since a lot of Americans gave iPhone and they use iMessage, which sends SMS when the phone on the other end is not an iPhone.
If you actually want people to read your content, then don't put it on Medium. Not to mention that it's bloated as hell, requires JavaScript, burns batteries on mobile devices, and is full of loathesome spyware software.
Agree. It's also one of the annoying websites that breaks scrolling with yet more javascript crap. It's a lot of cruft for a text-with-images page that hasn't changed conceptually since 1995.
Yahoo! Japan, One of the most famous website in Japan, forces users to use insane auth method: SMS 1FA. It even accepts phone number as login ID. This is really stupid.
It's a rather recent thing, and it's touted as a security feature. To be fair, Japan seems to be safer than most of the world when it SIM swapping (there are pretty strict identification requirements defined by law) and for porting phone numbers between SIM cards. I also never heard of any case of attacks against SS7 or other part of the telecommunication stack in Japan (I'd be happy to know if someone does)
That being said, a certain class of SIM cards (SMS-only cards, without voice functionality) is exempt from most of these strict checks as far as I know, and there are other technical vulnerabilities that are probably just waiting to happen in Japan before they're taking seriously.
I'm a little bit surprised that Yahoo! Japan went for SMS as the only authentication method, since their one of the main sponsors of the FIDO Japan WG.
EDF, the largest electricity provider in Europe does the same in France. Actually, it even manages to do a bit worse: 1FA using SMS or email, but choice is left to the potential attacker.
I've spent countless hours trying to explain them the issue in 2019 and gave up as nobody cared.
My covid project was an SMS news API completely controllable from your phone and delivers short news summaries on any topic scraped from across the web (www.zipnews.io). While fun and it has several paying customers, the SMS can be somewhat expensive to send. The strength is that everyone with a connected cell phone can access the API.
Did anybody experiment using Twillio (or similar) to receive 2FA SMS?
There are a few service that I use that mandate or only provide SMS as a 2FA. Using Twillio seems rather ideal since they have stricter control to porting numbers. The message probably is harder to intercept as well since it goes to their servers directly. And finally the phone number is harder for an attacker to find out since it's not my day-to-day number.
I tried this for a bit, but it turned out a number of services (Google, Facebook) would fail (silently) when sending an SMS to Twilio numbers.
It might no longer be true as there was a Twilio support page that confirmed this behaviour but is now just a 404[0] (though you can see a mention of it on StackOverflow[1])
A lot of services reject numbers from known VoIP providers as a way to reject fraud (and I guess prevent people from defeating number-based marketing/advertising tracking by using unique numbers?).
You can work around that by using lesser-known providers. In the UK, Andrews & Arnold (https://www.aa.net.uk) provide UK mobile numbers which don't seem to be rejected by anything.
It’s about making bans for fraud and abuse more expensive to repeatedly evade. The expected value of a few extra spam messages is lower than the cost of a new number.
My bank (USAA) decided to switch their 2FA away from SMS a while ago. They only do email or the USAA app auth code. I love it and I feel much safer with them because of it. Let's do start to move away - yes!
TOTP is not good enough for banking where you really want to confirm specific transactions, not generate codes that an active attacker intercepting your session could use to do anything.
Fair point, but if one declines to install their proprietary apps it just falls back to SMS verification which is obviously terrible.
Kraken (a cryptocurrency exchange) allows you to set up one TOTP token for regular logins, and another, separate one for withdrawals... obviously not as good as individual confirmations but still a heck of a lot better than SMS!
Its bad because 85% of the usecase of 2fa is people using bad passwords. If you use a bad password in one place, you probably are also doing so on your email.
As someone who does not keep a fixed phone number this reality really sucks. But i dont want security trough something i dont own, and there is no way to actually own a phone number
The title is misleading. This is not in fact "stop using SMS for anything", but "stop using SMS for security purposes". There is a great reason why SMS should still be in use: nothing interoperable exists with an equal adoption rate. I will not rehash the usual argument about WeChat and Whatsapp, there is plenty of discussion about them.
I don’t understand the hatred for SMS 2FA on HN. Can someone explain to me why SMS is such a bad method comparative to other solutions where the practical user adoption is near impossible at scale?
At some point, software is going to need to bend to the way people work. When does that happen instead of obsessing over ubiquitous “zero trust”.
I’d love a parable of how using SMS as part of a layered security verification is somehow unacceptably vulnerable.