Before this new wave of SMS trash, we just had TOTP codes that 1password could auto fill for me on any device in any location. Now i need to pull out my phone constantly and pay for international roaming or setup SMS forwarding to travel even if I don't need the number. Yay security!
If the argument is that phone number can always be recovered from real world identity, link the damn authenticator app to SMS instead of having to hand out your phone number to every company in the world.
Counterpoint: SMS login and account recovery is good UX, and it's the telcos that need to step up their collective game.
No, it's not, and it's fucking annoying to deal with. I am on my desktop computer, stop sending me to my phone just to log in because you don't want to support FIDO or some other form of real 2FA. There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB. Fucking use it
There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB.
Great! Not everyone has that! I do but if I could only implement one type of 2FA I'd probably still pick SMS.
Far far more people have a biometric reader or smart token than have a cell phone.
Smart phones are obviously phones and have biometrics. What you're left with is comparing the number of people with non-smart phones (~31 million in the U.S.) to the number of people without smartphones but who have biometric tablets, Windows Hello-enabled computers, PIV cards, etc.
Do you have statistics on the number of people who do not have smart phones but do have these other devices? I am not sure the intersection is as high as you imply.
The only people who don't use smartphones and don't have an iPad or similar tablet and don't have a recent computer... probably don't benefit enough from 2FA to justify the risk of account lockout.
In my social circle, the people who don't have smart phones are:
- People with disabilities that make reading from a small screen or texting a lot impractical.
- People who work in harsh environments who want something more rugged than a device made out of glass.
- People wary of the distraction of carrying around an entertainment device.
All of these people except one also have an iPad (especially the first group, as the larger screens help a lot). The one who doesn't does have a Dell XPS 13.
Outrageous claims require outrageous evidence.
Yes. They do.
I would wager the number of people in the US with a smart token (I’m assuming you mean something like a Yubikey, ≈22M worldwide, most users have two) is probably close to 1:1.
I would also wager the number of people with dumb phones are close (but not as close) to those having computers without any biometric capabilities (and if they have them, they’re not set up).
Everyone can get an app on their phone or computer that supports TOTP, such as Google Authenticator
The problem is customer support load. Also what does the company do about those without a smartphone? No smartphone no service? This is why businesses peg account authentication to phone numbers. It offloads IAM overhead to phone companies.
What happens when they smash their phone and now you have to do account recovery? With SMS authentication you can presumably offload that to the carrier.
The macOS/iOS integration for autofilling SMS 2FA is so convenient due to this. Basically everything I do online now requires it.
When it works.
I switched this off by choosing the wrong answer to some vague prompt and could never figure out how to re-enable it. Assuming it's like the many iOS settings that can be reverted only by resetting the phone to factory defaults.
Which iOS settings require a factory reset?
I feel like it works 99% of the time for me, can’t name a website where it doesn’t.
It doesn’t work on all sites and apps, which is an annoyance. Why it can’t intelligently offer the SMS OTP when a user is just waiting on an input field and an SMS comes with a code is beyond me. They should be able to decipher the messages, regardless of variations in formats, and know the code.
BTW, the setting to enable or disable this seems to be under Settings->Passwords->Password Options->AutoFill Passwords and Passkeys. Turning it off and on may also work (as these things tend to behave across devices and operating systems).
Hey look, a bunch of disjointed, vendor-specific non-standards that become impossible to support. Imagine some hapless Filipino support agent trying to explain to an irate customer their YubiKey drivers are borked.
Why don't we just issue everyone PIV smart cards?
Non-standards? They all implement the WebAuthN standard.
Why don't we just issue everyone PIV smart cards?
Particle Image Velocimetry?
Penis in Vagina?
Pentium 4?
Edit: Hah! Personal Identity Verification!
I don't know about the windows side of things, but on Mac I imagine there's just one fingerprint API to support, same with face id. Yubikeys either work or get their drivers from the cloud like most other devices nowadays. I also dont know much about what android has, but I would be suprised to learn if there wasn't native support for the various standards that are in place today, even if manufacturers aren't using it.
From the examples I've seen, the attackers essentially become the customer. They've either socially engineered the customer or done research to gain access to enough information to validate themselves as the customer. Come up with a solution and sell it. You'll make some money.
Well that got me thinking. You could stand up a third party verification service and sell the offering to companies that don't want to be bothered with authenticating the user. Something like Okta (I know, bad example when talking infosec at the moment) for real life.
They won't pay for it
I just realized this does exist (kinda) in the US with identogo. Could be an easy service offering for them or a partner for another company focused on the mfa issue.
There are numerous ID-proofing services out there.
Somebody already pays for it. Once regulations ensure that it's the companies skimping on KYC themselves, most will happily outsource that task to the cheapest (compliant) provider.
They pay for Twilio.
With the right legal language, I think they would.
That's kind of the point, US Telcos don't really validate customer identity - probably because they can't, due to the general limitations of USA documents leading to relatively easy identity theft where merely having enough information is sufficient to impersonate someone. (A simple test - is your verification process likely to stop someone's parent, spouse or sibling from impersonating them? If no, you're not really verifying identities.)
It's not something where a private entity can sell a solution, you need a more solid root of trust for verifying actual identities, like many other countries do, but that's not going to happen in USA any time soon.
Counter-counterpoint, when companies implement a system with a known flaw, then they're responsible for the consequences of creating that system.
OTP can be social engineered, hardware keys can be stolen, who determines what constitutes a flaw?
Edit: also, do both pay in this case? The telcom and the service?
That’s a problem with the user, not the protocol or the system, users have been and will be always the weakest point, but they are accountable for it if it happens, not the case for sim swap attacks.
Yes, true. However- to paraphrase a red team operations book I read, if the user can be tricked into into compromising your security with a click, then you can't blame the user. An organization's defensive security strategy should not hinge on a single user's decision to click or not.
Edit: I am swapping users with you, sorry for the confusing reply. I'm thinking telcom employee, you user of the app that got swapped (I think, apologies if I am wrong)
Ha! I was going to say if you solve the user vulnerability then congratulations, all systems are mostly safe! Before reading that you meant telecom employees.
The reality is TOTP despite any issues, is far more secure and available than SMS, security for obvious reasons but also availability, you can have your TOTP token accessible everywhere (say in your password manager) but if you can’t receive an SMS because you lost your phone or maybe traveling, then you are in a tough position, maybe even locked out completely. I personally even back up the TOTP tokens so I can reuse them without being tied to specific platform/app (I am looking at you Authy!)
I completely agree with you.
I completely disagree. Using a corporate account for personal identification is a major failure of public infrastructure.
The US government should step up it's game.
An individual's identity financial transactions should NOT be determined by holding an account at one of 4 mega-corporations.
We should work towards something in this direction: https://e-estonia.com/solutions/e-identity/id-card/
Getting the government involved in this is the only worse idea than delegating to 4 major corporations. It should be delegated more broadly and users should have more options not less.
It's obvious that government is already involved with everyone's identification.
This is analogous to the argument that government shouldn't be involved in "the free market", when the market is actually defined by the laws that regulate it.
Let's just call this the "Texas Delusion"...
Governments can be changed by democratic processes, corporate decision making is completely inaccessible to the public.
Do people really think life would be better if goggle just ran everything?
I’m so happy other people think this too!!! No one trusts the government, but usps is still offers pretty good privacy. I want mandatory acceptance of a gov issued ID, but at the same time i want to be able to use things anonymously.
From the article: > For many years, people in the industry have invariably said something like: "Well... offering SMS-based authentication is better overall for customer security, because of its convenience (despite its shortcomings) vs other methods" (such as the far-more secure use of email for verification). To that I say: "who are YOU to deprive your customers of security?"
and
Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.
and
Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber's onboarding) and handle password resets, and companies felt they had to match competitors' adoption of this technique.
This last bit was unfortunately overwritten in a Wordpress post update, and I added it back.
such as the far-more secure use of email for verification
Hmm.. sure? They have different threat profile. Don't think it is more secure.
There is a straightforward manner to overtake your phone number (call your carrier and use social engineering). There is nothing you, the customer, can do to lock that down. (I've tried with my carrier.)
With email, you can lock that down with robust 2FA (Google Authenticator/Authy/etc) and crooks have no straightforward way of defeating that.
This is how it plays out year after year and why SIM-swap gangs are so prevalent.
If having your account hijacked is is a good user experience then I have no idea what UX means.
Maybe SIM swapping shouldn't be so easy in the first place.
Sure, agreed, but until that changes stop using SMS for 2fa systems.
You know that they won't though, so why even make this argument?
By that logic, consumers and tech companies won't change either and we can bypass this whole discussion.
I live in a part of the world where, on occasion, governments decide to regulate such things.
I wrote a comment 11 days ago talking about SMS for a second factor, but it applies in general as well: https://news.ycombinator.com/item?id=39130032 Email is better, for sure, but mostly because email providers are either controlled by the user (for us nerds with a custom domain) or a large, impersonal entity (google or similar). Neither is available to change by attackers in the same way as phone number providers are.
I work for an identity provider and we have a number of folks who want us to support this, almost always from a UX perspective.
I think that there also needs to be some onus on the phone providers, as suggested above. With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
No, we need to push back on this user-hostile trend, not stick on yet more band-aids.
Phone numbers are country-specific, impossible to own in any meaningful way for private individuals (unlike e.g. domain names), and add an unnecessary point of failure.
while it works well a majority of the time, it results in an exceptionally bad UX if you lose your phone, don't have reception, or are traveling outside of your service area
I once worked in a building with terrible cell reception. I hated anything that required SMS for 2FA because I'd have to go outside to get the text message.
My in-laws lived in an area with poor cell reception too. Whenever I'd go there, I couldn't use SMS either.
Both of those places had good Internet service. Any time SMS was required, my UX was terrible. Hooray for anyone who supported TOTP, email, or any other form of 2FA.
Counterpoint: SMS login and account recovery is good UX, and it's the telcos that need to step up their collective game.
Oh, yeah, fantastic UX.
I've had my phone and credit cards stolen while traveling abroad (such a hard-to-imagine scenario, innit?), and was consequently locked out of all important services.
Very good UX: being left without a phone and access to bank account and email and most messengers at the same time (thankfully, Skype isn't one of them).
Double props to CitiBank for requiring SMS authentication to change the phone number on the account.
If you never move internationally, travel abroad, are outside cell coverage, and don't value security too highly, it sure is.
Not everyone has (or wants) a phone or to grant control of their life to a cell phone carrier
Telcos are not responsible for using fingerprint or facial recognition as joint user+password.
When it comes to good UX it’s important to clarify whose goals it’s best for: compromise security for convenience and adoption of an app?
Or setting up the user to succeed more.
SMS is a lazy form of 2Fa. it reminds one of the descriptions of sms being an open postcard.
Theatre and pageantry have limited value where it sets users up for much worse
Yes having an SMS sent to a number you no longer own is great UX.
Any auth mechanism that requires a trusted third party is hardly an auth mechanism at all.
If you don’t have your phone; if you’re abroad and don’t have SNS; if you’re in a building with no service; if you changed your phone number, they all suck.
Also, another valid point is that often times it’s hard to tell what’s a legitimate SNS message and what’s phishing. Their phone numbers are always gibberish and sometimes change between requests.
I agree that SMS is a terrible multi-factor.
But it caught on because asking people to install an app is a massive ask. Not to mention, people never save those recovery codes.
Sure, you can use Authy and back up your codes but that’s pretty much squarely in the “for technical people” camp.
So at the end of the day, SMS is the only real solution for your average normal person. Let’s get cellular carriers to make SIM swapping harder.
iOS’s inbuilt password manager supports TOTP second factor authentication right in the operating system, no app needed.
Isn't the point of a second factor that it's... Not the same as the first factor?
My TOTP app password is one of the few that don't go into the password manager. Might as well make 'em compromise each separately.
Accessing TOTP or passwords in the iOS built-in password manager requires someone to (1) have your phone; (2) pass a biometric authentication or a passcode authentication.
That's the two factors right there.
Or to be able to push updates to the iOS built-in password manager: one factor.
My threat model doesn't include Apple or Google, the maker of the operating system. If you assume they could push an update to the built-in password manager, you need to assume they could push a keylogger that exfiltrates both your regular password and the password for your TOTP app.
Fair enough. They're who I'm mostly worried about.
I've got the Google apps in a sandbox, so I think if they pushed such a thing they could only spy on my logins with them.
Not that I have supreme faith in GrapheneOS to keep google in its box on a device that google made, but I do hope that it represents enough friction that I get excluded as an outlier from whatever abuses occur.
Eh. It still makes the credentials rotating credentials instead of permanent credentials. If your username + password + single TOTP value gets stolen, they won't be able to re-auth once that credential gets invalidated.
So say a site accidentally logs auth attempts, and someone finds the log. Sure, they know your username + password now, but they don't know a good current TOTP value. And TOTP values are supposed to be one-time-use, so even if they catch it quick it'll be invalid very fast.
Its better than not having TOTP, but not quite as secure as it could be. Theoretically its still something you know and something you have in that its something you "know", the static password, and something you "have", the rolling TOTP generator.
If the password manager was compromised (not accessed without permission, but updated without permission) then it wouldn't be just the single TOTP value that leaked, it would be the underlying key.
On a mobile device you might be a bit limited in how "distant" you can keep the two, since the vendor is typically almighty in that scenario. But in general, you have options and you might as well avoid keeping both eggs in the same basket.
That's one vector of my "not quite as secure as it could be" statement was thinking about. Or of someone just managed to steal your phone and break into it.
But, there are still other attacks that this setup protects against.
Two-factor isn't "two device", two factor is two factors of authentication, where factors are generally:
* something you know (password) * something you have (key handshake, totp generator) * something you are (biometrics)
Storing your TOTP secrets next to your hard passwords is putting eggs in the same basket, I agree. But I'd prefer someone do this than just forego adding TOTP or multi-factor entirely.
And in the end, even if you used two different apps on your phone you're still putting all your eggs in the same basket, which is a trade off tons of people are going to do. Even a lot of very security-conscious users will end up with some TOTP app and a separate password manager, chances are both apps will be installed on the same device. If that device gets thoroughly compromised there's potential for both apps to be attacked and compromised.
If your OS vendor shipping malicious code is a realistic threat to you, or at least attackers being able to impersonate your OS vendor, you're probably going to end up getting compromised even if you split it out into two apps. You'd probably just want to avoid TOTP entirely and move to physical hardware cryptographic tokens.
Yeah but no normie knows about it. It never prompts to store them.
It worked for every single card-issuing bank in Europe.
SMS are fortunately both expensive enough there to make them uneconomical for banks to use them as an OTP factor, and have been found too insecure for payment authentication by themselves, requiring a second factor.
This has practically lead to banks offering something more secure and/or ergonomic, e.g. bank-specific authenticator apps (which often work without internet, and always work without cell signal, e.g. when traveling internationally), hardware authenticators, WebAuthN etc.
Let’s get cellular carriers to make SIM swapping harder.
No, let's get financial companies to step up their game and offer something not liable to both security breaches and locking out users (when traveling, losing access to their number etc.)
Many banks and card issuers are using SMS for 2FA in Europe.
No bank is using (only) SMS as an authentication factor for 2FA. It's not allowed under the EBA's technical interpretation of the PSD2 regulation. Some banks do still allow it as a fallback option, together with another factor, e.g. a password or other knowledge factor.
My bank even made it a paid service, which I fully support – SMS is extremely overpriced.
I'm in the UK, so our implementation of the PSD2 regulation may be a bit different (in came in while the UK was leaving the EU), but I get SMS 2FA codes from American Express all the time in the 3D Secure process.
Some banks do still allow SMS by itself as the only authentication factor (presumably because they haven't got around to updating their solution or maybe think they've found a workaround), but it's not compliant with the PSD2 regulation in the EU at least. The solutions I've seen usually use a password or security question as the other factor.
I wouldn't generalise an entire continent like that. Both my Bulgarian and Austrian bank accounts have SMS-based 2FA on online transactions and logins. Some banks in Bulgaria allow to use eSignatures as 2FA but afaik that has seen tiny adoption in the consumer space.
I don't know about Bulgaria, but in Austria, verification apps are very popular and I don't know many banks that still allow SMS-OTP for e.g. 3DS authentication or online banking transaction confirmation.
Google Authenticator now syncs to your google account.
I’m not even sure this is a positive thing.
You can opt out of it thankfully.
I have always saved my dtrings in a separate keypass database.
New Google Auth takes a second or 5 to show accounts. I use old apk because that one shows accounts in a millisecond.
My bank made me install Symantec VIP. Yuck. To do my tax I need MyGovID. Also Yuck.
How did the bank “make” you do this? Does your country only have one bank?
As much as I hate the apps, I'm not prepared to refinance my house just to avoid installing them on my phone. Especially when the other banks probably have the same policies, or will soon.
The Symantec app is just a regular TOTP app but a bit more annoying. You can usually replace it. See https://locima.com/2019/06/01/replacing-symantec-vip-with-a-... for one method.
I did this to get my Etrade account TOTP from Symantec into Authy.
It also sucks if you lose your phone number.
I haven't been able to log into my primary Google account for many years because while I have the username, the password and the recovery email address (and all the emails are forwarded to me), I no longer have the phone number associated with the account, so clearly I'm trying to break in.
Or if you’re just traveling. I’ve been logged out of accounts while abroad and with no access to SNS.
Or refuse to give them a phone number. I lost access to two accounts where they now demand it.
Even have the audacity to send me an email with “someone tried to log in with your username and password!” Yeah, that was me clowns. :-p
I'm in a similar situation with LinkedIn.
Out of nowhere, they locked me out of my account, then they asked for my phone number, and I had to put in a code received through SMS. But that was not enough, because then they asked for a national ID card (the gall!). Of course I did not send it.
However, I kept trying to log in with the password and SMS code for a couple of days hoping that the ID requirement faded away, and now they say that I "have reached the maximum number of attempts. Please try again at a later date.". Well, duh.
So, now I have a ghost LinkedIn account with my face and my data that I can't even delete.
I'm seriously thinking about asking a bunch of people to mass report my account for racial hate speech or something so that at least it gets deleted.
Well, keep in mind almost nothing is deleted any longer. Only a deleted_at column is populated in the database, which prevents it from being listed by default. But data is not deleted, and those accusations might last forever as well.
This is where being an EU resident would be handy.
Yeah, it sure would be nice if the same nations that deeply/fundamentally benefit from being epicentres of cutting-edge technology would actually do something to protect the rights of people who are reliant on and are affected by said technology.
It's gotten so bad that it's now a regular paid service that I see offered for people to use bots to mass report your old accounts for a fee to get them removed and delisted for you. "100% guaranteed ban and delist. 1hr turn-around time!"
Of course, using it as a weapon against your competitors is the unsaid reason for these operations...
none of my google accounts even have phone numbers, and I've never been asked for one...
Yeah, that's what's especially insidious about it. Until you attract the eye of Sauron by somehow setting off whatever unknown security trigger (which btw will never ever be disclosed to you), you'll never notice just how quickly everything can be taken away without any recourse. Everything seems just fine, doesn't it? Until it isn't.
They say for security purposes they need my phone number (that I've never given them before) to verify I'm me. I've seen this on first login on a new account. I guess they think I'm pretty stupid and I'll believe that.
Facebook once balked and demanded my driver's license scan to keep using the account for security purposes or no more login for you. I called their bluff and abandoned the account. A few months later I tried again and suddenly the driver's license wasn't needed anymore. Then I stopped using it for YEARS until they sent me a single email with a link, which LOGGED ME IN to the dormant account without asking for a password on a new PC that had never used facebook before. I actually don't even remember the password at this point but it is still logged in!
I swear this is a bug, the recovery email is supposed to remove the need for sms auth. But google have no help desk or ability to report bugs.
Shame on you google.
I've spent hours on the phone to many Google internal numbers that I can find trying to get someone to help me.
I think my best action is to use one of the sim-swap services myself to intercept the SMS to the guy who owns the number now.
The problem I have with Google's authentication flow (and also Microsoft's) is that there's no right way to use it. They both make unpredictable demands at unpredictable times, so you can't rely on being able to authenticate when you need to.
Randomly losing account availability like this is completely unacceptable for critical services like the ones they provide.
Once I was in a situation where I could either have wired ethernet or cell service, but not both (it was a 30 minute drive to cell service). There was no way to log into my Google account because it decided my laptop was suspicious (due to the strange IP address, probably).
When I got back to civilization, I turned off Google 2FA, and will never turn it back on, at least for personal accounts. I would rather drop my usage of their services than deal with their account login bullshit.
A bunch of people like to say it is fine they use the phone number because you can use your other methods as a backup if you use it. Yet I've read plenty of stories like this about google demanding everything they have on you.
Google is really atrocious in this respect. It won’t even use recovery email addresses properly. The only solution is to move back to an IP address range that seems like your original “home” location and pray that it works. I have some choice words for whoever in Google thought not allowing account access or recovery is a good thing.
SMS for any significant action on an account is terrible.
1) Phones can be lost or stolen
2) People move country
3) SMS attacks
4) Phone numbers get reused
5) Users must maintain a paid phone plan
-- edit --
I updated the first line to clarify that I'm not talking about one-off notifications etc.
I don't know. I like when my ISP or power company let's me opt-into texts about outages and provides periodic updates (as long as you can reply STOP).
I was on a 2 week camping trip and a nasty storm rolled through my home state. Power went out for 5 days and I wouldn't have known if it wasn't for the SMS notifications. I immediately cleared out my fridge and freezer when I got back.
That’s not the use case in discussion.
SMS for anything other than one-time use cases is terrible.
I can agree it's unacceptable for security while also disagreeing with this statement.
I've updated the first line to clarify what I was meaning here
Notifications are fine, what I mean is more things like verifying it is your account, forgot password etc.
Anything tied to material account actions shouldn't have anything to do with SMS.
Flight delays or notifications of works in your area etc won't lead to account takeovers or denying access to your account - but the way many companies use SMS can potentially lead to this.
1) By definition, if your 2FA device gets stolen, you’re screwed anyway. Goodbye Authenticator. At least with SMS you can get the same number by contacting your carrier.
2) Roaming. Often free to receive texts abroad.
3) True
4) True, but it’s easy to keep it active assuming you at least have data on it
5) True, but it can cost peanuts with the right setup. I’m holding onto my European and Thai SIM cards with less than $5/year. My Google Voice number is free since 2009.
I agree I’d just prefer using Authenticator and Passkeys, but let’s not lie about the advantages of SMS.
Google Authenticator backs up to your Google account now, somehow. Not sure exactly how that works.
The problem is logging into your Google account without your 2FA device or phone number.
The answer in all these cases is having more than one option enabled. I just recently tested my Google and Apple login simulating a loss of phone and computer. It was tough but there are options (e.g. Apple lets a friend be your full 2FA, so you can even recover encrypted data)
I always back up the codes for the Google Auth stuff. They are just strings like VN3WBOTLQZUDFIWG You can put them in a doc / email them to yourself / whatever.
Google have not been very good with that. For a long time they didn't back up at all which meant if you swapped phones and didn't manually copy over you lost the codes. Now if you click the default OK button if copies all the codes to Google cloud which is ok if you don't have much money being protected but if you do there's a vulnerability that hacking your Google account gets your TOTP codes and probably passwords if you save them in Chrome. I'm currently in that situation and will probably shift to some other provider so it becomes two things to hack rather than one again.
That always freaked me out with Revolut which insisted on linking to a phone number.
I think it’s fine as long as an email is always collected.
This way if the phone is compromised your email is still there.
As far as convenience goes it is convenient in actual practice as an end user. I’m sure even if 1% have this issue that’s billions who are not. It’s cheap and it’s convenient. Your phone gets the message and autofills.
You don’t need to switch apps to check email or something. And your account will always be recoverable as long as your email isn’t compromised. If you lose your email I mean that sucks. But that happens anyway and it’s why people should rotate passwords and set up MFA.
Security can never be 100%. That’s just a fools errand. It should be convenient enough and secure enough that it works for as many people as possible.
Literally everyone else outside of HN doesn’t even care or understand. They don’t need to. Just use the apps to do your thing and move on.
Let the nerds handle the backend.
What's science compared to the "requirement" of getting a valid phone no-account link to sell to Google and Facebook?
I have a huge issue with the phone becoming one’s identity.
I often see couple’s using each other’s phones and knowing each other’s passcodes. I’m not sure I could ever trust someone that much. I don’t think I’d even give my passcode to my own mother, and she’s never given me a reason not to trust her.
The worst part about it all is that it’s not opt-in. They just randomly start using SMS as 2FA. If I were to change phone numbers, I’m not sure what I’d even do. How can I change to a new number without control of the old number to get into my account? What happens if I miss one, because they randomly decide to use 2FA on an account I didn’t think to update? It’s a really bad system all around.
[Customers] appreciate that [SMS reset is] more convenient than resets via email.
Anecdotally, I'm annoyed every time I have to log into a Google account using phone verification, because I have to stand up from my desk and find my phone (which sometimes is in a different room) in order to receive the call/message with the code.
TOTP is much more convenient in comparison. I don't have to stand up from my desk, because I store the codes in KeePassXC.
Create a passkey on each of your devices.
https://www.google.com/account/about/passkeys/
https://blog.google/technology/safety-security/passkeys-defa...
Sites that support Passkeys: https://passkeys.directory/
Hard pass. What if I lose all my devices? (Except a fireproof offsite box with a piece of paper containing most of my passwords in it.)
More realistically, what if Google decides to disable my account, and holds my passkey database hostage (which they can, by design)?
Note I said “each of your devices.” Even if Google locks you out, they are all still on at least one of your devices (if not more).
My passkeys are shared with family members in iCloud (where they are synced to) for bus factor. I don’t recommend using Google for any consumer services if you can avoid it, especially syncing your password/passkey database, as there is zero support if something goes wrong.
There are stories of Apple locking users out of their iCloud accounts.
And all of your passkeys should still be on each device in such a case. It’s sync, not a singular vault.
Can you provide source? I've never seen Apple locking someone out of their account à la Google, only rare dumb user errors in the system clearly designed to effectively prevent them.
A lot of companies still mess up passkeys, Allowing them only as a 1:1, using one terminates the session of another, or in some cases invalidates the previous passkey entirely.
Its implementations specific I'm sure, hwoever its not as straight forward as one would hope.
Also a favorite: "Your browser does not support Passkeys".
It sure does, which these horrible sites could easily verify by invoking the single line of JavaScript [1] to learn as much, instead of assuming "Firefox -> must be unsupported". Absolutely infuriating.
[1] https://gist.github.com/miguelmota/ad833d2e6f024a7189f803664...
Extra security is welcome, but I'm simultaneously terrified that I'll somehow get locked out of my Apple ID or main Gmail account.
Everything I read about Passkeys says this scenario is 100% impossible, as it's based on biometrics and no longer using a text string that can get lost, but I'm still nervous AF. I've had to do the "reset a password that's behind 2FA" dance before and it makes me want to crawl in a hole and die - super duper scary.
Somebody tell me to chill out.
In the Apple ecosystem, the SMS syncs to your Mac, Safari detects the code and autofills it in the web page, and then it auto-deletes the SMS when you're done for you. It couldn't be more seamless.
Which, ironically, requires you to forever "opt-in" to 2FA on your Apple ID.
You can click the "try another way" link, which will allow you to use a TOTP code (which they call the "Get a verification code from the Google Authenticator app" option even if you've never used Authenticator).
I don’t have experience with TOTP on this, but I’ve seen that the “try another way” doesn’t even work with a recovery email address and a code sent to it. Google seems to make it almost impossible to login if you move away from your “home” location, unless perhaps you use its apps and are already logged in.
Using SMS makes PERFECT SENSE for the online service provider.
The following are very similar but separate goals:
1. proof of account ownership (person attempting action has ownership of account)
2. limiting accounts created by non-legitimate users
SMS is a very effective for (2) because few people are going to have access to 100 different phone numbers. Having a cell phone number also typically involves a personal process that requires things like your address, passport, SSN, etc. There are hoops to jump through for this. Companies rely on SMS because they can outsource the KYC process to cell phone companies. They are not doing this to have the most optimal or secure solution for proof of account ownership.
People who continue to complain about this clearly has never had to make this type of auth decision for a company involved in regulated or financial services.
Your point is completely orthogonal to account takeover. You can require a phone number to create an account and not allow SMS to the number to takeover the account.
What happens when the owner of the number discontinues the phone service, loses the number and the same number is give to another customer who then tries to register for an account on the same platform? Phone providers may recycle numbers in as short a period as a few months.
Phone providers may recycle numbers in as short a period as a few months.
Then, I guess, the account on that German home automation online forum was maybe not that important, after all.
Such a strawman. People get locked out of accounts with important stuff for them all the time.
Let's demand more of tech companies who have the means to do proper security , instead of bling user mistakes.
No, I’m not blaming the user. Look at this from the other perspective:
I have an apartment, a vacation home, a chicken coop, a shed with old tools, a car, a bank deposit box.
Do all of those things absolutely require a Post-Blockchain-Ready™ SuperDuperLock 3000© with the patented Forensic Upgrade Crypto Key™ technology?
Not really. Some security vs. accessibility/usability trade-offs need to be made.
Somebody stealing the contents of my bank deposit box? Okay, that would suck.
Somebody breaking into the shed and stealing that old broken Toyota diff lock actuator I *swear* I'm going to fix at some point and maybe a shovel? Please.
This is why I think there might be a security floor for critical applications, but it should be the user's choice if they really want full 2FA+ with smartphones, biometry, and social security number verification for their random account on once-a-month-visited social network for cats.
Why does the service provider care about account takeover, from a financial perspective?
They can always reset the password on their end, given proof of identity (if the account matters).
Why does the service provider care about account takeover, from a financial perspective?
Indeed, caring in any way about users of your product or service is merely a liability and a cost center.
I honestly don't want that type of overprotective caring that cares so. much. about you that it restricts you in meaningful ways.
Just because I understand precisely why companies do it doesn't mean I need to be happy with it, does it?
By the same logic, you could justify companies tracking their users and selling their personal information: It makes money, and making money is an important part of running a business!
Or: "Robocalls with fraudulent caller-IDs make perfect sense for the companies doing them..."
(2) because few people are going to have access to 100 different phone numbers
There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.
There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.
But that's the point: If you're really determined, nothing's gonna stop you.
How much on the freedom vs. restriction scale do you want to get pushed to the right for "security" before it's too much? Or is it okay, because it's not inconvenient to you?
Lets try the same logic everywhere else.
Companies embracing password login should be blamed for sticky note thefts.
Companies embracing email 2FA should be blamed for email account theft.
I dont know if this holds up hey. We see this time and again. An entity that does not break the law, makes itself available to the law, and its customers get hit by a criminal entity that does not follow the law. Because we cant snap our fingers and demand the government make thieving criminals double or triple illegal, people reach for a largely innocent party and want to make their lives worse.
Take a deep deep breath and let it go. Theres no unharmful level of punishing the innocent on behalf of the guilty.
This is going to sound wild and crazy but the people swapping the sim should be blamed for the sim swapping attack. What? Blame the criminal? I know its a bold stance but its correct.
Thats a strawman fallacy. You can control not writing your sticky note.
You cant control a sim swap attack.
Yup it's a strawman argument. And furthermore, even the rhetoric used to downplay the idea of holding companies accountable is off:
The idea of "blame" (with some handwaving) carries weight in court and sways juries. And companies are getting sued for big sums over negligence regarding SIM-swaps, like here https://www.techmeme.com/190723/p15#a190723p15
AT&T won that case: https://blockworks.co/news/att-crypto-sim-swap-lawsuit
Lets try the same logic everywhere else.
The difference between SMS 2FA and the examples you mentioned is that the former is literally impossible to use securely because there is (AFAICT) no (American) consumer mobile provider that implements proper safeguards against unauthorized SIM swaps and similar. Any company implementing SMS 2FA ought to know this, and any company knowingly implementing a deeply flawed 2FA system and selling it to consumers as "more secure" ought to be held liable when it fails. And the sooner SMS 2FA dies, the sooner the same old websites that implement SMS 2FA and nothing else will be forced to implement something that's actually secure.
Unfortunately, there are already laws that demand sms auth, e.g. online gambling in some US states (new jersey, being one).
The persevere practice has been established as 'strong login'.
And blame the carriers.
Carriers can certainly carry an amount of blame. IIRC in Aus its gotten harder to activate a new sim for these reasons. The attacks haven't stopped entirely but its gotten more rare. It now relies on a very persistent social engineering attack to pull off.
That said number portability is a really deep well. And theres utility in keeping it somewhat liquid for the many many many people it benefits rather than making it terrible for everyone to prevent a number of attacks.
This is what I thought about the 23andMe debacle. They may should have done better, but any attempt to "punish" them really feels like ex post facto law. Make new regulation or something and punish future incidents, but not this one.
What I hate most is when companies insist that my (Google Voice) number "can't be used for authentication" or, even more crass, "isn't a valid phone/mobile number".
Some have even done this after initially allowing me to sign up using it, changing their policy sometime after I've signed up, and I usually only notice when I end up locked out of my account.
Fortunately it's mostly been store apps or payment services that I can just avoid going forward, since they clearly don't value my business, but I'm concerned that one day, my bank will do the same and just lock me out of my account.
Based on my experience with Google Voice, I think of not allowing Google Voice as a positive that could help people. I’ve written a little bit about why not to use Google Voice in this comment (on this same post) here: https://news.ycombinator.com/item?id=39270503
My experience may not apply to you, but it is still a risk, IMO, to rely on the “free” Google Voice.
That's not a good reason to block Google Voice at all. Regular phone numbers also get recycled by phone providers after a few months of not paying the bills (or not topping up a prepaid account). The chance of me losing my regular prepaid number after a few months of traveling internationally is significantly higher than losing my Google Voice number.
I also seriously doubt that blocking VoIP numbers is anything other than companies making their own lives marginally easier (because VoIP numbers can be used by people generating multiple trial accounts in case they're used as a (bad) "proof of personhood").
GP here. Maybe I should’ve worded it differently. I wanted to say that it’s better for the users not to rely on an unsupported and poorly designed platform like the free Google Voice service. I’m not in favor of companies blocking VoIP numbers.
Maybe I should’ve worded it differently. I wanted to say that it’s better for the users not to rely on an unsupported and poorly designed platform like the free Google Voice service.
But that Romanian SIM card I bought at a roadside kiosk on a boozy weekend in Timisoara without any ID is fine?
Some have even done this after initially allowing me to sign up using it, changing their policy sometime after I've signed up, and I usually only notice when I end up locked out of my account.
Viber did this to me. My Viber account is from 2012. I only found out when I switched phones.
hoovering up users' phone numbers for profit is so widespread because
- everyone has a phone
- most people rarely change their numbers (if ever)
- many people are more likely to give out their phone number than their social security number
they couldn't care less about the security of your account or the fact that it's a valid number you control. they want the number that will uniquely identify you and already resides in the db of whichever adtech company bids the highest for your data.
It’s a tough pill to swallow the argument that one of the most widely used and beloved features (autofill codes from SMS) is against the best interests of the user.
It’s a much easier pill to swallow if said user has a US phone plan and ever tries traveling abroad.
Good luck getting those SMS codes. And good luck getting the US carrier to not shut off your plan if you travel for longer than a few months.
Well that's because US exceptionalism itself. More or less the rest of the world uses exactly the same tech for mobile so cellular roaming works in every country. It's the US carriers that try carrier proprietary tech to trap their customers into their networks.
I never had problems with getting SMS around the world with roaming. It just works.
I've never had problems with using SMS + wifi around the world without roaming.
(I've had that problem domestically, due to having laptop internet with no wifi password, though.)
The argument is that autofill makes it so easy, that users accept it and companies are more likely to adopt SMS-based flows, right? Autofill doesn't seem inherently bad.
iOS Autofill of one time codes works with email and with true TOTP codes. Authenticating a user securely on their phone can be seamlessly secure without relying on SMS.
why email is not the standard? i'm forced to have a cellphone if i want to use the bank, basically
Because phone numbers serve as an effective way to screen for bots. Also, they are unique and people don’t change them, so useful for tracking people.
but when they have to change them (i.e. moving to a new country), or they got stolen, it's pure pain. it's not a good system.
For sure, there should at least be an option for TOTP backup, but the powers that be know they would rather inconvenience a small percentage in exchange for the benefits.
Because phone numbers serve as an effective way to screen for bots.
only because we allow telco rent-seeking on phone numbers.
Why are you forced to have a cellphone? You're free to visit the branch anytime you like.
What is a SIM-swap attack? It’s where a bad guy asks a carrier to port your cell-phone number to their phone.
How do they get away with this in practice? Can't the carrier phone the number for the SIM or txt to attempt to confirm the owner? Or send you an email or postal letter with a code? Or make you go to the store to show ID?
And if you claim to have no access to the above, send a txt/email/letter alert that you have 5 days to reply to before the switch happens?
Do any carriers advertise themselves as having strong security against SIM-swap attacks as a unique selling point?
Exactly, it wouldn’t be hard for the mobile providers to require sms confirmation and/or written authorisation before a number is ported out.
I don’t know if it’s government law or phone company laziness getting in the way of SIM security, but giving up on SIM security seems nonsensical and silly. Fix SIM porting security.
Step 1: Confirm victim is out of cell range.
Step 2: Sob story about how you lost your cell phone.
Step 3: Fake ID / Social engineering.
The five day wait would work well, though it doesn't protect against "I stole the phone and I yanked the SIM or looked at the push notification" attacks.
They could and it could be similar to emergency / fallback access in password managers. Send an SMS to the number (aka current SIM) before approving changes and force the person requesting the change to wait for X hours or days if there's no response to the SMS asking for authorization.
That's what the providers around me do, but I think it's because one of them got sued a while back and we only have about 3 providers pretending to be 10 different companies (aka fake competition).
Yep, I never understood that either.... you have to confirm your old number before you can transfer it to a new telco, so sim swaps are not really a thing.
But it's primarily a US problem, and they have a lot of ID problems, like using their SSN as "passwords", and other stuff that would be impossible anywhere else (like illegal immigrants getting jobs at large companies and enrolling their kids in schools without anyone verifying who they are).
Can someone recommend a 2FA app that can provide the users with confidence?
I don't want to use Google Auth because I have absolutely no trust is this company and how unreliable they are with their products.
I currently use Authy but it's free, offered by a company (Twilio) and I can't really see what their endgame is here. So they could drop the service one morning because it's not useful for their main business anymore. They already announced dropping their desktop apps.
Say in another way : is there a security company somewhere selling a 2FA app and in which it's easier to put trust?
Sure Bitwarden can provide TOTP, but then I still need to put MFA on my Bitwarden account itself.
If you’re at a point where you would have your users pay for a 2FA app why don’t build your own (or build TOTP functionality into some existing app)? TOTP is very easy to implement yourself, it’s literally just a handful lines of code.
It's not that it's hard building it, but: Do you want to maintain it? On iOS, on Android? Through all update cycles? On all screen resolutions? Keeping up with the regular bullshit, especially coming from Apple? Random app store bans? Reviews? Support? etc.
There's TOTP support in Keepass2Android and KeepassXC (and surely other Keepass implementations too). These are open source and you can control how the password database is kept: cloud storage is supported as well as local file (that you can sync with Syncthing or whatnot).
Mobile network operators should be blamed too.
Now that said: in the EU (well in France at least), the biggest operators are teaming up and coming up with an interesting system called "SIM Verify" which is specifically crafted to make the life of SIM-swappers sad [1].
Basically companies relying on SMS can verify if a SIM card has been recently swapped and then act accordingly (like, for example, not allowing a password reset by SMS 30 minutes after a card has been SIM swapped).
I'm not saying it's a panacea, but it's a start (and it's all compliant with the EU's GDPR).
Or just make it harder to get a new sim card. Why is this so difficult? Only send the card to the correct address etc.
Only send the card to the correct address etc.
That is pointless in the days of eSIM, and even before that it would result in a lot of trouble as a lot of countries don't require people to register a new residence at some government entity that can act as a source of truth.
Thanks for highlighting this initiative, I'll add it to the article. And Done.
"Companies should not let account recovery happen over SMS, they should just let the accounts be completely and irrevocably lost."
The position of the post is just rigid absolutism that has no chance of surviving the real world, and it's not at all clear that the author actually has any expertise in the subject.
It should be completely obvious that password + SMS 2FA is better than just a password. And while the industry has been trying hard to get people to move away from SMS 2FA (yes, the industry would actually like that, despite the author's conspiracy theories), it is slow going. TOTP has horrible ergonomics and doesn't permit passing side-channel information about what exactly is being authorized. Emails get caught in spam filters. Push-notification style app authentication is secure, but a lot of people will refuse to install your app unless you're like their bank.
Yes, SMS isn't the best form of 2FA for a bunch of reasons. Sim-swaps honestly aren't one of those reasons. But they are the form that you can actually get people to use, and succeed in using.
Ah, but what about single-factor SMS, you say (unlike the author, who doesn't seem to understand the difference). Again, consider the alternatives. If you don't allow for account recovery over SMS, what is your account recovery story? Human customer service will just be socially engineered as easily as the mobile operator was. TOTP seeds, recovery codes, etc can be irrecoverably lost. Phones with authentication apps can be stolen and fail to be bootrapped again. Email accounts or IDP accounts can be lost to hijackers, and are also frequently lost when people change jobs, graduate, etc. Security questions can be stolen and brute-forced.
SMS has a unique property that makes it invaluable as a recovery factor: it's a globally accessible communications channel that can be bootstrapped from just your real-world identity even if lost.
That said, allowing SMS for account recovery does carry some security risks. They can be managed or mitigated by e.g. require a cooling down period, during which the account owner is notified about the recovery attempt and can cancel it. But like everything in this space, those mitigations are also tradeoffs. Which tradeoffs are the right ones depends a lot on what the account is for, there's no one-size fits all.
I'm so frustrated reading these comments because I assume this is the logic used at these companies that make my life a daily pain in the ass.
My email is more secure than my phone. This is shown to be evident on a monthly or bimonthly basis, despite insistence from sms proponents that it's the only feasible oh and also secure way. Bollocks.
Every single time, it basically boils down to the truth - SMS auth is circumvental, recoverable, whatever you want to call it. And there's ample evidence of that being used for account takeovers.
I honestly don't understand how this remains a discussion.
Great, go ahead use your email address rather than a phone number then!
If the author's point had been that there should be a non-SMS option, I would not have commented. But that wasn't their point. They thought it should be removed as an option from everyone. It's just an amateurish idea, completely ignoring the real world and the tradeoffs.
The problem is that average sms security is higher than email, but email CAN be much more secure. So for mass market accounts sms makes a good login confirmation and improves security.
But if you've bothered to have somewhat secure email it sure would be nice to use that instead, and not worry about the 50,000 retail and support staff at telcos who can grab your sms account based on a convincing phone call.
So, please, I beg of you login developers, offer email wherever you use sms now.
I understand it’s a naive statement, but in order to log in into your email you would end up relying on some other sort of 2FA. And we’re back to square one to relying on SMS, because UX of other authentication flows has irrecoverable flaws.
Exactly. You could use a trustworthy mail provider with a domain you own (registrar and DNS provider in two other accounts, probably), and then a second mail account for the 2FA for the other three accounts, but then what's the 2FA for the second email account?
Wait.. what? Shouldnt we be blaming tel co companies for being insanely stupidly easy to hack instead? I mean I have seen teenagers talking about how easy it is. When its so easy even a minor can do it, you have a major problem.
This is a common, but as much as I hate cell phone companies I don't think they ever asked for or advertised themselves as a secure identity verification solution and never should have been used as one.
Tech companies saw cell phone companies had a juicy piece of PII they wanted and SMS was kind of easy to use and common so they did what tech companies do best: They dumped the hard part onto to some one else, then accused them of being out of touch and archaic when they failed to carry the tech companies water for them.
Sure, but this isnt brand new for tel cos either, this is also not impossible to resolve, like requiring in-person ID at a store, would be rather basic but more effective. The fact some kid from the UK can snatch your sim card in New Jersey is astounding.
Bank of America on iOS still ONLY supports text as a 2FA.
On my desktop I can do username, password and YubiKey.
But iOS is username, password and text, or Face ID and text.
Disabling text means disabling disabling 2FA.
Ridiculous.
Charles Schwab does "My voice is my password" when calling. That's going to cause a lot of problems in the near future if it hasn't already.
Yes! Here is a bit I wrote on that a couple of years ago. This voice print ID tech is everywhere as well, used by financial companies, ISPs, and more! https://keydiscussions.com/2021/12/07/despite-the-prevalence...
There was a big issue with Payoneer's SMSs in Argentina under Movistar. I tried to rise the issue here in HN but got unnoticed.
There is an insightful tweet [1] in Spanish that is translated as follows:
""" Well guys, the payoneer mystery is solved.
#PayoneerHacked
- The attacker compromised the gatway SMS used to send the 2fa to Movistar customers (the platforms use this to sneak the cost) - The attacker saw 2fa messages passing from Payonerr to a Movistar phone number but had the problem of not knowing the email of the Payoneer user to change the password and make the transactions. - The attacker, to discover what email was behind each phone, set up a phishing site to try to take ONLY THE EMAIL from there and with the email + the phone + the 2fa that accessed the compromised SMS gateway in real time, he was able to change the password, access the account and send money since I kept reading the 2fa that arrived on the Movistar phones. - That's why the victims saw several real SMS with 2fa coming during the night that emptied their account. - Even if Payoneer customers had fallen for phishing, they would only have had one 2fa stolen, and not all that is needed to log in, add an account and transfer. This need makes it evident that the commitment to the SMS gateway existed.
- The victims of this scam lost their money because the last mile of the security stack was compromised.
Be careful, because Facebook, Twitter and others share the same gateways to save money on SMS.
Here I leave a screenshot of the SMS that arrived during the early hours of the morning to a victim and that the victim was never able to share in any phishing and that were necessary to empty them.
(whatever you read in the media... fruit, lots of salad and little sauce. here's the post)
Thanks to everyone who cooperated. """
[1] https://twitter.com/julitolopez/status/1748440685743587811
the crazy part is that Payoneer would let you reset the account password just with the reset code sent by SMS, no need to prove ownership of the email address.
Understanding the root cause or causes of a problem is required before discussing a solution. Is the problem that people use SMS? Or rather is the problem that carriers allow bad actors to easily port a phone number? We know it is wrong for a carrier to do this.
If we know that some used car dealers rip people off, is the fix to stop buying used cars?
Then how do we fix the problem that carriers do not protect our phone numbers from being ported?
We sue them. In most if not all states it is relatively easy to file a small claims case. For some reason most people do not consider this. Maybe someone could provide an example filing. Courts should and must provide relief to common citizens when they are aggrieved.
If this is indeed a common problem it should be documented and fixed.
Yikes, this is a woefully misguided attempt at a seemingly rational response. Chalk up Auth-n security to the courts?
Yes, this is a known problem and, no, shrugging off the issue to the lawyers is not appropriate. Candidly it's downright irresponsible if not criminal.
What needs to be done to get rid of SMS as 2FA? Fed regulation? It will be slow (ie, took many years for the US to fully get rid of mag stripes as the standard), but at least it will motivate US companies (effects to possibly ripple across the pond) to get their shit together or find a new vendor.
Multiple banks I use still use SMS as primary 2FA. Kind of sad.
Here in Thailand phone carriers re-use phone numbers every 2 years or so. Recently I forgot password to a local amazon (Lazada) and did a phone reset that logged me into some other persons account with credit card attached and everything. Also, pay as you go phone numbers tend to expire in 2 months without a way to reset this so you're always at risk of losing your identity confirmation.
I really don't understand how phone numbers became so accepted as an identity confirmation.
Anyone who thinks companies using sms are to blame for sim-swap attacks are idiots.
Allowing sim swap without any sort of verification is the issue. You cannot just sim swap in countries outside of America.
That’s what I have been saying for years every time I have an opportunity, last one few days ago https://news.ycombinator.com/item?id=39247480
But it won’t happen, that phone number is NEEDED to be tied to your identity for a lot of reasons, that’s why banks (where most people have their real identity) are still requiring a phone number.
In India, the solution is simple. Carrier don't know sms to be recieved till the time sim swap is completed. Sms is by far the best option for 2fa
Most Indian Banking services, Payment endpoints, OTT platforms have adapted phone numbers as identity.
Your phone number is your identity. You can receive or send money only through your phone if the SIM is installed and validated by sending an SMS.
Getting a replacement SIM card requires physical verification using Aadhar (Identity service) with One Time Password validation (Email/SMS). Once the new SIM is active, you will not receive any SMS for the first 24 hours after getting a replacement SIM card. This is to reduce the attack surface of SIM Swap attacks.
For a lot of companies they choose sms for no other reason than it really limits spam and cuts down on fake accounts. People are conditioned to for the most part to be free with their phone number. Making it pretty much the only identifier that cant be easily and without cost or human effort changed(its not too hard and often normal to block voip numbers) Sure you can say well then also require some other form of authentication. these companies are trying to make money and go to a lot of effort to reduce even the slightest friction to new customers. Besides once they have sms and 98% are happy with that why put more work in? The real problem though is what other choice do they have? Yes you and i would put the effort in to both secure and properly manage better systems but when the vast majority would quickly forget or loose any other method. They have to make a system that is "secure" for them anyway, why implement other systems(yes i know you and i think it would be worth it for us but maybe the bean counters dont).
Its completely understandable that the average person THINKS that sms is secure, everyone depends on their phones, uses it for very personal, private and sensitive business calls. even without tech companies using it for auth it would be exploited, just not as much. Unfortunately it would just take an incredible amount of cooperation, expense and growing pains to properly secure the telecom network. They are extremely interconnected legacy systems that are designed with the assumption there is no security besides trust. that being said they could improve things a whole lot more if they were able to verify their customers better on support calls or at least had higher security options you could enroll in. So they didnt put people who cared about security with the ones who cant even keep track of their own account numbers.
Personally without governments coming together to implement a digital "secure" citizen identification system (also very scary) probably the best we can hope for and i think google now allows is after its verified by phone remove it as a authentication and recovery option and setup multiple hardware security keys/passkeys. ya people will still be idiots and use sms even when there are better options but at least some of us can be secure.
Couple of factors lead to companies "embracing" SMS:
1. A phone number is a useful piece of information to have on a customer (to sell to someone or whatever).
2. Some (most?) people are too dumb to manage passwords/TOTP and shouldn't be allowed to use a computer. As a result, everyone suffers and is forced to use broken SMS 2FA that can be SIM-swapped.
3. Companies want to stop bots and use phone numbers for that, even if it's a non-issue for bot operators in practice. A little inconvenience, sure, but it doesn't change the bigger picture in any way.
Why can I set a level of security to my account, how about let me choose how secure it should be? There are many accounts I don't care about, I don't even want to use password with it. I should be responsible for my account security, and I should make that decision.
what, no blame for the stupid mobile providers who let themselves get social-engineered?
As usual, this conversation seems to be one side pointing out how god awful SMS is for security, usability, etc, and the other side going "but how else can we accommodate helpless users". (edit: sorry missed an important negation wording mistake)
Like sure, if I could, I'd make SMS disappear, but really, I'd settle for just punishing those companies so lazy they can't roll out any non-SMS support.
SMS pins are anything but secure.
Adding an Authenticator app much better.
Would it make it better if it was the other way around? If user would send the ramdom code to the authenticating entity by SMS?
It baffles me that we all services haven't defaulted to something like Google Authenticator or similar. Users should be given a choice.
This exact topic came up by chance at the lunch table today (I work at Stytch, we do auth).
SMS as a primary (or frankly even as a second factor) is fraught. But as comments in this thread call out, they can be incredibly smooth UX for end users on mobile devices.
And in fact, for some user bases, far and away more ubiquitous than emails. There are many populations that just don't have email to serve as a primary factor, but do have phone numbers.
So it's a nuanced topic. Everyone, both users and developers, need to have eyes wide open to the danger and protect against it.
And let's not forget the telecoms, they need to recognize that the phone number serves as a primary login factor and treat it more carefully. That might mean in person or stronger identification requirements on changes.
Also don’t get packages delivered to your house because badguys can steal them.
Also don’t keep money in your wallet because badguys can pickpocket you.
Also don’t use computers because badguys can steal your passwords.
Turns out the problem is Carriers are dogshit and don’t protect their customers.
I do disagree with the title, telco's should be responsible for SIM swap attacks as they should have better processes to prevent people's mobile numbers from being ported.
Additionally, whilst people rave about 2FA apps, not many people talk about an approach to recovering your 2FA app account if you lose your device or anything else.
How about they create a permanent site that guides people who have read the article in how to switch to app based 2FA?
Doesn't have to name applications, but explain the process and common pitfalls people find themselves in when switching to app based 2FA and how to prevent them.
Surprised nobody has mentioned NIST SP 800-63B §5.1.3.3.
SMS based authentication is explicitly insecure and not allowed.
As someone who has moved countries before, I despise SMS authentication. It should not be used for anything, ever.
I'm fascinated by the way Signal solves this problem. You can register a phone number, verify it over SMS, set up a registration lock PIN, and then have quite secure communications. The registration lock can be bypassed if someone tries to register the number (like when the phone number is assigned to someone else), waits for a while, and the previous owner doesn't re-register.
Services that do SMS delivery of OTP may want to consider delivery over Signal or WhatsApp when available as they add this additional security.
I've also thought about building an OAuth provider (like sign-in with Google) that does Signal-like phone number verification and lock PINs. This reduced some spam concerns, as it's harder to create burner phone numbers than email addresses. A centralized OAuth service would make it easier than having every web app need their own SMS phone verification integration.
I absolutely hate SMS verification. Email providers want sms verification, my corporate Microsoft account wants SMS verification to login on PCs and then it also wants Microsoft Authenticator verification ! What it really wants is me to “stay logged in” all the damn time. On my Mac, outlook needs to relogin to Gmail in safari every damn time I clear safaris cache. What the god damn well hell. What if I changed my phone number? I’d lose access to almost everything… wait is that the point ? CIA ? NSA ? KYC ? Cmon ! The internet used to be fun, but now it’s just a hassle
The problem is that your authenticator app doesn't give them access to a relatively stable, cross-site/app/etc identifier that they can sell for advertising peanuts.
Also average Muppet consumer can't manage it
Not true. If we make Yubi keys cheap enough (below $5) then everyone would want them. Everyone is already carrying around keys, they won’t mind 1 more key. Why can’t we make yubi keys cheaper?
Pocket space is finite. There's no way I'm carrying a yubikey unless I can jam it in my laptop USB port (defeating the purpose of it) and forget about it.
A Yubikey used in that way is still more efficient and secure than every other option.
Someone would need to physically take your laptop, unlock it, and get your account passwords before they could use your yubikey to login to accounts.
Then why not just store the encrypted credential on the device itself?
Would that be what passkeys would be?
A couple of other people answered you already in a lot of detail, so I don’t have much to add there.
But I do recognize that really is a legitimate question and it feels like Yubi would benefit from running more outreach / promotion programs with schools and companies. I never felt like I could justify spending $50 just to try it out(especially when it doesn’t have support in a lot of sites), but then they partnered with Cloudflare to sell up to 5 per person at $10 each. It was a no-brainer to try it at that price and I haven’t looked back
Passkeys is like embedded Yubikeys, or, Yubikeys are like external passkeys.
The point of passkeys that the key is kept inside a separate secure computer running secure blobs, so user codes can't touch it. That sounds sketchy but contactless payments using similar embedded secure computer has been fine so this should be too.
Theft: A $2000 laptop is an easy target for anyone with sticky fingers, and so is a $1000 smartphone. A Yubikey has essentially zero resale value, so you will not lose them due to random theft.
Durability: If you drop your smartphone, there's a pretty good chance you'll shatter the screen and buy a new one. You can play tennis with a Yubikey and it'll be fine. You can run it through the washing machine and it'll be fine.
Longevity: Laptops and smartphones generally only have a 3-5 year lifespan due to battery degradation, and many people will want to swap it for one with more storage or whatever anyways. A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites.
Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them. Individually enrolling each device would be a nightmare, and having the credentials sync is a bad idea from a security perspective.
Security: If your device gets compromised, it's pretty much game over: the attacker can now log in to all your accounts, any time they want. With a Yubikey I have to physically insert it and tap the button for each login - which is relatively rare because active sessions don't tend to expire. This means I would have to actively participate in a mass compromise of my accounts, making it way more likely to be noticed.
That wouldn't defeat the purpose of it.
It has nothing to do with cost.
Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.
Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.
If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.
I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.
It's absolutely a problem with cost, though a little bit with UX. If YubiKeys cost $5, it would be reasonable to have 3 of them, and you keep on your keychain, one at home, and one somewhere else. The UX problem is that you would want a way to enroll a YubiKey that you don't physically possess, but that is a solvable problem.
The bigger problem is that a large number of sites don't implement MFA properly, and don't allow you to enroll multiple MFA devices. This really could only be fixed with regulation that clearly defined MFA, so there would be consequences for improperly implementing it.
I promise you there is a significant percentage of people that would fumble enrollment; you handwaved away a giant problem (multiple enrollment, not present); and many people would put them all on the same keychain.
In the politest way possible, I question whether you've interacted with the modal user.
edit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. Lots of people were logging into facebook by searching facebook, instead of typing facebook.com, then following the top result. Some other site briefly was the top result when searching for google. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. I think it was pinterest, but I may not remember correctly. Either way, it looked nothing like facebook and didn't use blue.
That's what a significant fraction of internet users are like.
There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably).
My email address is firstname.midddlename@<wellknownemailprovder>.com
I get a dozen emails a week from companies and government agencies trying to reach people with the same first + middle name combination from around the world. People seem to think they automatically get an email address with their name provisioned or something and they just sign up for accounts and services using that combo.
Truly bizarre how many large companies do not verify email addresses before setting up accounts.
No freaking way. I don't use YubiKeys not because they are expensive, but they are less convenient than other options.
There are some quite cheap fido2 keys ( https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2... ). But WebAuthn / Passkeys can also be provided by your android or ios phone. Or TPM -chip on a laptop.
No I promise you they won't "want one".
RSA keypads were an example. Absolutely free. Hung on keychains. Work well in that it was "secure" and worked, but an absolute nightmare for the banks to manage. UX was equally terrible (sure Yubikey isn't that).
The only way to mass introduce it is require multiple key entites to push and collaborate like your bank + phone provider to push it out for free.
Yubi keys are a logistical nightmare for my parents. SMS is not. For my parents, sticking to something in the phone is good.
$5 is cheap where? Most internet companies are global and have little desire to cut off customers in developing countries, since that's a major area of growth.
$5 in the US is roughly equivalent to $20 in my country, when you adjust for purchasing power parity. We have over 70 million people who use Facebook and Youtube daily.
If rich Americans won't pay $20 for a Yubi key (and they are currently $25) why should we be expected to?
I have and use yubi keys; they are annoying to set up and use compared to sms. No one will want that outside a few geeks.
Also an identifier that is much harder to create bots/spam with, as phone numbers are harder to come by than email addresses.
Almost counterintuitively I deal with more spam SMS than I do email but that’s probably less a factor of actual volume and more a factor of the need and sophistication of filters for both services.
It’s likely also a function of the market / location / network incentives.
May own anecdote is that I almost never receive spam sms despite having nothing in place beyond whatever my service provider does.
Spam mails make it through two+ layers of filters (service provider + my own) more often than I get spam SMS, and I have to trawl the wasteland that is the spam box once in a while to ensure important mails have not been missclassified.
That's why my banks use their own apps as 2FA factors.
The own 2FA apps of my banks inevitably stop working at some point. They shut down immediately after launching them. Alternatively they stop reacting on tapping the "confirm" button. If I leave them unattended for few months, I'm almost certain they'll not work on next use.
Require a phone number for account creation and support TOTP. Win-win.
It’s a loss from the business’ perspective. They could support 2FA with SMS and check a box; to additionally support it with TOTP would only be additional cost -- albeit with the bonus of “doing it right”. Unfortunately, that’s an abstraction which a lot of businesses consider to be achieved when they can check the box.
Doesn’t using your password manager as TOTP code generator reduce the number of factors back to 1?
If the attacker is targeting your 1P, then yes.
If the attacker got a list of passwords from a leak and your password was on it, the 2nd factor provided by the TOTP will still save you.
So, it just depends on your threat vectors. I’d rather people I support keep unique passwords alongside TOTP in a manager they’ll actually use than skip or use SMS TOTP because of a vague concern about targeted hacking of their manager.
If you're already using a password manager with secure randomized passwords, you're not vulnerable to credential stuffing unless that specific service had a breach. I suppose TOTP may still protect against unsophisticated phishing, but only as long as the attacker doesn't phish a TOTP code at the same time and pass it straight along to the service.
Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?
tbh the UX problem of 2fa for "I use random passwords and am not vulnerable to credential stuffing" users is a pretty big reason to stick TOTPs in your password manager.
Security is always a series of trade-offs, and 2fa brings some hideous trade-offs in many sites (well over half only allow one at a time, for example, and then you lose access permanently). TOTP with a standard like this lets you choose, rather than the site choosing for you.
Sites can't rely on password managers and will make TOTP mandatory, cf github.
Right, and if an attacker can dump password hashes they can likely dump TOTP seeds as well. With that level of database access the attacker may be able to steal all your info from the impacted service, so talking about the password may even be a distraction since all your data is already stolen.
Some password managers do offer the option of challenge-response from a hardware key, but technically speaking the password manager vault file can be considered "something you have" so long as you store it securely, like your SSH private key.
Yes, it's something you have, but it's not a second factor if you're storing your (randomized) password in the same place. If you do that it's just two redundant checks that you have access to the same single password manager vault.
Well in the context of mobile login so is TOTP, push based microsoft auth and other kind of mobile based shit.
I don't know anyone who buy a second smartphoe to make it sure 2FA is on a separate device.
I'd have to disagree.
The problem is that the vault file can be copied, which means this is now "something you and your attacker have". Even worse, it's not just the (probably encrypted) vault file: if your computer ever gets compromised, it is trivial to wait until you unlock the vault, at which point they can extract the now-plaintext TOTP secrets.
The way I understand it, the "something you have" factor is something which is intrinsically only a single item: either you have it, or you do not. If it can be copied, one of the copies could be compromised without you noticing - and because it's a copy you wouldn't even be able to revoke it without changing your own token too.
If that happens, nothing will save you. The malware can just grab your session tokens whenever you log in, then do whatever it pleases.
In practice the only widespread attack that either TOTP or SMS authentication help with is credential stuffing, and if you use a password manager to use unique passwords on each site you're not susceptible to credential stuffing to begin with.
Both provide some protection against phishing sites, where the phisher needs to maintain their access.
Wouldn't you still need the password database, plus the password or whatever used to open that database? The two factors are related though (a good keylogger should be able to get both).
Multi-factor isn't an end to itself, one strong factor is fine for most things. If your pw manager is good enough to not get tricked by phising, that's already better than most manually used MFA.
You could always use a different password manager or different buckets. Both the apps I use (one for TOTP and one for passwords) can do both lol.
I use my Google Voice number for everything because I can't trust I will have the same number if I change carriers (I have found the porting numbers between MVNOs can be hit and miss) and because I sometimes travel internationaly. Now, stupid companies are demanding a phone number, and blocking Google Voice from being used...
You can trust google they will let you use forever and won't block your account anytime without warning though.
I only use SMS based auth for services that demand it, and I find alternative services if they are really critical. All though lately, more services are forcing it without any advanced warning...
Don't worry, soon Google Voice will be abandoned by tehGoog.
(Perhaps this is just dread since I use it for the same purpose)
I understand the feeling! I would love to find an alternative, but I haven't yet. I only use Google Voice for services that demand it, and I try to find alternative services when possible. I never use SMS auth for anything truly critical.
Amusingly I believe Google voice needs a valid phone number to sign up for Google voice.
They may re quire a phone number now... but I am not so much worried about using my temporary carrier number to sign up, because Google doesn't force me to login with SMS (I now use Google's Passkey support, with two passkeys- my phone, and my Bitwarden account).
Google Voice (the free service) has its own pitfalls, which I believe make it a very poor choice to use for online accounts. I’m speaking from personal experience. If you happen to not use it for a little while, Google Voice will send an email with minimal notice (with Murphy’s Law, this will be during a vacation break) that the number will be deactivated. Once that happens, you cannot reclaim that Google Voice number using the same linked phone number. You have to get a new phone number that has never ever been used with Google Voice and then try to link it. Even then, Google Voice will send the OTP and make it seem as if the linking worked but will show as unlinked (and the Google Voice number unavailable) after just a minute or two. You’ll have to retry with another number over and over again until you start banging your head against the wall. After maybe a few weeks or several weeks, that Google Voice number will not even show up for reclamation.
Google Voice is a total mess, and as a “free” consumer service that Google has shown little interest in maintaining and supporting, you don’t get any kind of support or help whatsoever.
My sincere advice (if you’re a free Voice user) would be to delink your Google Voice number from all critical services. Get a real phone number for which you have the ability to get customer support.
Yes, I am aware of these pitfalls. I only use SMS based auth for things that demand it, and if it is a thing that is truly critical, I find an alternative that doesn't demand it. At the very least, I ensure that I have a way of physically showing up and getting my account recovered in a worst case scenario.
Google Voice is probably my favorite Google service... I have looked at alternatives many times in the past and have never found anything that compares that isn't super expensive (and usually not as good). I really hope Google keeps it. But I am prepared to migrate if Google shuts it down (and I really hope they provide a seamless number porting experience if they ever do...).
Trusting Google for anything is a lot riskier than trusting a carrier once in many years.
Their own internal teams as well as game studios didn't know about Stadia's end until the day it happened, what makes you think they'll treat you better with an unpaid service?
Weird, all the carriers I used either have free international roaming (at least for receiving text), or have wifi calling which allows me to use my phone as if I'm on the home network anywhere with an internet connection.
Thank you for your anecdote. However your personal experience doesn't reflect everyone.
Many people don't have free international roaming, in fact mine only has roaming for US (I'm in Canada) and for zero roaming options available outside of North America.
Outside North America, receiving text messages is always free.
Receiving calls isn't necessarily free when roaming.
As a European, the idea of paying to receive a call or text is alien to me, but I understand it happens in the USA.
I'm pretty sure it's illegal for an EU network to charge for receiving a standard SMS or MMS - even while roaming.
I can therefore receive an SMS OTP in any country and won't pay a penny.
False
Mine doesn't!
And though the one I used before did, I usually have a cheaper local SIM in my phone for data use when I'm traveling, and I'm not swapping SIMs just to authenticate to some company that hates its customers.
I am occasionally out of the country for more than a month... I usually pause my phone plan because I don't want to pay for a service I am not using. Sometimes I even get a different number when I return and restart my plan. That is why I use Google Voice, because I can use it over wifi or a data only plan, and the number doesn't change. But now, some stupid companies are blocking Google Voice from being used.
In India your Sim card stops working if you do not recharge ebery month and after 2nd month, the number gets blocked, after 90 days the number gets canceled and recycled.
The going argument is, WhatsApp if your number gets unused for 90 days doesn't let you reset password or something so its all fine.
Then its a matter of submitting a written application with the bank to change your mobile number so its all fine
I recharge my airtel with Rs 1700 something, which gives me a 365 days validity, without need of any additional recharge (plus some GB data everyday).
that is.......... a lot to spend in one go
If you can afford a phone, you can afford 1700 for a year. If not, EMIs are a thing.
Thats what $20 a year, thats nothing.
A few countries in the area have such a short length unfortunately. I’m lucky to have my European SIM card that I can top up once every 12 months. And even if they deactivate it after 13 months, I can recover it within the successive 12 months if I remember correctly.
My favorite is it's often paired with "passwordless" trash lol.
Why can't I just give my whole fucking credential out in 1 action. What's this nonsense where I have to enter my username, THEN wait for the page to load, THEN click "send verification email" or "send code", then half the time they want to SMS me and have me enter another code lmao.
I use 1password with Fastmail integration to create unique email addresses for each login. This new “sipping from thimbles” approach to authentication breaks that because iOS and/or 1pass don’t recognise it as a login until the password screen, so I’m swapping and searching and copying and pasting just to log in. I viscerally hate that sort of user hostile design of the auth/login.
I can’t speak to all of them, but many sites that require (only) a username first have enterprise SSO integrations.
The enterprise buying the service (understandably) doesn’t want its employees to type in both username and password on a 3rd party site, especially since the SSO process will handle auth after the username is entered.
I know of one site with both username and password on the first page, and has enterprise SSO. Login will automatically fail if you enter anything in the password field when logging in with an SSO-enabled username. But that doesn’t stop copy-pasted credentials from being transmitted to their server, which is something enterprise customers want to avoid
And don't forget to solve 10-stage captcha before eveey page load!
Before this new wave of SMS trash, we just had TOTP codes
SMS 2FA predates cell phones. First SMS 2FA was AT&T in 1996 using pagers.
The first draft of the RFC for TOTP was written in 2008. Google Authenticator came out in 2010.
And TOTP predates “this new wave of SMS trash”, when every service actually started using it.
Eh, that’s a bit pedantic.
I knew someone who worked for a bank in the late 80’s - early 90’s, and I distinctly remember them having a little keychain dongle that generated one-time codes every (30? 60?) seconds for secure remote login.
The product may have been an RSA SecurID, or something else. Branding aside, it’s the same concept as modern TOTP. The main novelty of the TOTP RFC was standardizing the setup / secret sharing process and algo.
I agree with most of what you say, however:
I don't remember ever having to pay to receive SMS abroad. Is that a common feature with the plans where you live? (I mostly have experience with pre-paid plans from Asia, Australia and Europe.)
Americans screwed up mobile phones since the beginning: they pay on both ends, to receive and to make calls and sms.
Inuse a simple APK which makes http post request on very incoming SMS.
That post request is processed by my own Google apps Script to send it to my own telegram bot.
When I travel where my phone will not work in that country, my wifi connected devices get OTP right away, in about 5 seconds.