As an aside, I hate the nuance-less "SMS 2FA is insecure" line. It's the weakest 2FA form for sure, but it's still so much better than not having 2FA. Even if you support multiple options depending on your product it may very well make sense to stick with SMS as the default to reduce friction.
They do.
Google's Authenticator is as close as it gets to a native Android app, and your secret keys are sync'ed in Google's cloud for a while now (it's a shame they waited so long).
Apple's Keychain has supported TOTP for ages too.
That said OTPs over RCS instead of SMS are a major improvement if you don't mind your phone number being used as an identifier.
I think that Google does not care about security for their users, because their passwords app is clearly some intern work, not something really well thought. They just slapped it to mark a checkbox in their "Chrome password autofill" TODO list and moved on to a more pressing issues like implementing user tracking and extracting more ads revenue. Apple had similar issues for years, but I think that their recent releases significantly improved.
I'm not sure we can blame Google for not pushing their Authenticator more, most services have been dead set on SMS and are now slowly moving to Passkeys, probably for the best.
What do you do if google/ms/apple won’t let you log in, or you lose a device, or you lose your phone?
If the answer is “there’s an account recovery path involving a password”, then just accept passwords!
If the answer is “recover the passkey provider account”, then that forces everyone to have a single password / security question / whatever that grants access to all their accounts.
edit: the app used to be open source: https://github.com/google/google-authenticator-android/
"By design, there are no account backups in any of the apps."
You can get service starting at $20 per month. Fi used to have good service in some mountain areas too, with US Cellular. Not sure what's going on with US Cellular right now though. Some kind of half acquisition by T-Mobile.
I always had problems with SMS until I got Google Fi. And that's a problem because, as the article here says, many banks insist on SMS these days. There are various services that give you a virtual number. But they always suffer from one of two problems: (1) VOIP numbers are 'blacklisted' by some banks for security reasons: they want a real cell phone number (2) I simply don't get SMSs in some cases some technical reason
Google Fi works everywhere. Even when there is no cell phone service: it will tunnel over WiFi.
Google shuts off the data on Fi after you've been outside the USA for a month. No problem, I'm happy to pay $25 a month for a 'dataless' connection that gives me SMS and voice.
* Tello
* Red Pocket
* Good to Go Mobile
If you’re looking for a real local phone number in the location you’re traveling to, then eSIM providers like Airalo can handle that (Airalo has “global plans” that support voice and SMS). Getting such a connection for voice and SMS, as compared to a data SIM alone, would be expensive. So you could get a data eSIM that works locally and use that for “WiFi” calling/SMS with the providers mentioned above.
To be somewhat more specific: while I travel extensively and am in the US often, I am often outside of it for more than a month at a time, and it appears that Google will shut off data outside the US if you use data outside the US for too long. If you are using a different SIM for the primary data connection, it appears that they won't even if you have it enabled as a backup.
The last time I checked if you wanted "cellphone is off" texting/voice (basically the old hangouts), you had to enable "fi syncing" which disabled rcs features. Is that still true? What url do you goto to do texts/voice? (i see hangouts.google.com redirects to google chat).
The terrain is rugged there, but it is not an "eccentric lifestyle"
It is extremely typical, however, to see the most basic needs of Appalachian people ignored on the grounds of their perceived choice of lifestyle
just this weekend I endured yet another incest joke.. I bet you have one of those ready too
Heck, there are places that are a 20 minute walk from Apple and Google HQ without cell service.
Many "eccentric" lifestyles are not chosen.
For instance not owning a smartphone or not having access to power easily is not necessarily limited to well-off tech-savv hipsters who want to make a statement, homeless people, older people in less connected areas or people in developing countries can also be in that situation.
When you make your services depend on specific access, and you give people without it no escape hatch, your service becoming successful usually means worsening access for people that have fewer means to adapt.
Interesting choice of vocabulary.
You could decide not to serve people without also describing them as freeloaders in order to feel morally righteous about your choice.
I think the discussion is less around "subsidizing" them and more why requiring a cellphone with 2FA to exist and do basic things is kinda stupid.
You were the one introducing this vocabulary (as well as claiming everyone living there does it by choice). Now you try to move the debate again with people "demanding" stuff. None of this vocabulary or framing exists in the original article, or in mine.
Let me clarify the question: why do you insist on framing this debate in a way that makes a moral claim about people's character?
I must be imagining the farms that I pass in the mountains in the middle of nowhere when I go backpacking. Surely your argument isn't, "My farm was here, so it's impossible for other farms to be in different locales"?
>I once...
My phrasing did not suggest "one time" (the phrase was "I pass", suggesting regularity), and it's not just one single farm, it's a few, and I've passed them many times. I have to agree with someone else[1] about your using vocabulary that others haven't introduced - I question whether or not a good faith discussion can be had because of that. Have a good one!
Recently former homeless person here. The Republicans in Congress refused to renew the Lifeline program in 2023 and the replacement is objectively worse in every single way.
> Not all choices need to be subsidized.
Ah yes, being homeless, a choice. I hope it never happens to you.
Requiring Bluetooth and an Internet connection on your phone suggests that that's exactly what they removed on their side. Quite clever, if true – why pay for network connectivity if you can just piggy back on your customers'? (Nevermind those customers without a smart phone and data plan...)
Let's put it like this: The old ones (with a display) definitely do, because they can send email notifications. I would be very much surprised if the new ones didn't. The main reason for requiring the app isn't connectivity to the outside world, it is that they can save money on the terminal screens, which get vandalized frequently in some areas. The internet connection is probably a fraction of the cost of replacing those touch screens every few months.
I guess this would be easier in a beighbourhood laundromat with local clients, but in a hotel with many foreigners it becomes a pain with so many dependencies needed to use the washer and dryer.
2. Ask the cell phone company for a femtocell. These used to be called "AT&T Microcells" and they were cheap. I used one before cell service improved because I live in the mountains. But apparently AT&T don't make them any more and now they cost $2500.
https://www.waveform.com/products/verizon-network-extender-f...
3. Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal; I use it because I find it easier to use my laptop keyboard to type SMS messages than to use my thumbs on my phone.
It can't – how would it?
The only entity that can forward texts is the carrier, and I doubt that that service is integrated with all US carriers to somehow get them forwarded (which is technically quite difficult for various legacy protocol reasons).
Apple's satellite messaging service is the only solution I know of that can somehow hook into carriers' SMS home router (or IMS equivalent) infrastructure to intercept and out-of-band forward SMS.
Anyway, it’s probably possible to make a service like that. You might need to route through a country with permissive laws.
Allowing SMS interception without the home network's consent seems like a quick way to get offboarded as a roaming partner.
Are you sure it actually does this?
I thought it was a pseudo-carrier that could speak MAP / Diameter, and just pretended you were roaming with them when you used satellite connectivity, perhaps with the original carrier's knowledge and consent.
As far as I understand, that's how this kind of service usually gets implemented.
Would that approach also allow the extra functionality they seem to be offering, such as only recently messaged numbers and emergency contacts being able to send messages to satellite users, though? I suppose they could just reject all MT-Forward-SM with sender numbers they don't like?
> As far as I understand, that's how this kind of service usually gets implemented.
Do you have any other examples for solutions like this? Are you thinking of (pre-VoWifi) carrier apps or services that could receive texts, sometimes on multiple devices?
I'm building the opposite, using the modem and a Raspberry Pi to send me metrics from my cabin, but could easily work in reverse.
While prototyping I had it parse SMS messages I sent it.
Obviously not for everyone but we're on HN here...
PUSH approval could be used instead but then you need to download an app for every service you use, which isn't very convenient.
PASSKEYS offer a solution which will work on both web and mobile and don't require you to download an app for every service. But it's a new concept that people need to learn so how fast they will be adopted is yet to be seen.
The Secure Payment Confirmation [1] extension to WebAuthN supports using passkeys on third-party sites (think merchant checkouts) and including signed structured messages (think "confirm payment of <amount> at <merchant> on <today>").
It wouldn't be crazy to imagine authenticators with small OLED displays to provide an end-to-end secure channel for displaying that information, similarly to how cryptocurrency hardware wallets already do it.
Of course, this would require a certain popular hardware and software manufacturer with a competing payment solution to implement the extension...
SMS 2FA tied to your mobile number sucks if it doesn’t support Google Voice, especially when traveling internationally and your SIM card isn’t in your phone.
Email 2FA usually works, but I just find it annoying.
App-specific push notifications mostly work, but it’s hard to debug if you don’t get the notification. For example, I recently bought a new phone and all of my apps were reinstalled when I restored from a cloud backup. For some reason app notifications didn’t work until I uninstalled & reinstalled the apps. And reinstalling the apps was a bit confusing because some of the apps were not available in the app store based on my physical location in a different country at the time.
The server just needs to remember which TOTP codes have been used and to reject after the first use.
The code is no longer sensitive after it has been used, so jam it in a database that can expire tuples after a few minutes or stick it in an login audit table if you have one.
> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.
It pisses me off to no end. I use a few different banks and some are fine with google voice, others are not. One only allows customer service to send SMS tokens to google voice but not through the regular flow. In all but one case, they will happily robo call my google voice number and have a tts engine read me the same code that they didn’t want to SMS.
Security policy by rng, ffs!
It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.
It's inexcusable.
I really agree with it, but that’s probably their rationale.
Yes, a digital OTP generator is more susceptible in theory to theft or duplication than a hardware token.
Yes, the benefits of digital OTP are great compared to password only, more secure than SMS, and trivial to implement.
SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I registered it about 13 years ago. I didn't transfer it from a landline/cell phone, it was picked from a list of Google Voice numbers available in my area code. I've never had Fi.
I was wondering about that, because I can't get google voice because I have google fi, so clearly it's using the same bank of numbers, but maybe once they are fi, they are ported to T-mobile instead of their own CLEC.
*The bands acquired with the Sprint merger have service, but the cheap used phone I bought was pre-Sprint-merger and lacked those bands.
I can probably illuminate some things here. This is almost certainly the SMS API they're using. Your phone, and your network by extension, does not care if the phone is technically online - so those messages get received because they're literally sending in the blind (and if the recipient is offline, the message gets temporarily stored by the receiving carrier for around 3-7 days before it is discarded).
These SMS OTP systems validate "reachability" (using APIs like https://developer.vonage.com/en/number-insight/technical-det... and https://www.twilio.com/docs/lookup/v2-api/line-status) and will not send a message if a number is 'not' reachable. Unfortunately, as implied by the air quotes, these methods are not infallible. This is done to reduce the costs of sending the message (carriers charge a lot more for commercial customers) but this is definitely stupid for a already-validated number like in this case.
I have such a ported number and have no issues receiving SMS 2FA codes.
Companies do SMS because their VP of security compliance demands 2FA and because it's easy and has mature existing third-party vendor support. No tinfoil hat needed for this one.
https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...
https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
Maybe verizon is incompetent or malicious?
What happens if you’re overseas or in a cell dead spot with wifi? The latter happens to me all the time in the city.
It’s amazing how many hip “use your phone to order!” restaurants are in cell dead spots, and have set up wifi access points as a workaround.
The 4G router also has the benefit of being able to use externally mounted antennas. Which might help in low signal areas.
Not ideal, but might at least be a solution for some people.
[1]: https://wiki.teltonika-networks.com/view/SMS_Forwarding_Conf...
> she usually doesn't even have service 100 meters down the road.
An outdoor antenna would be better, but yeah more of a pain. I guess it really depends on how badly someone wants SMS.
SMS 2FA is terrible though.
2. People love binding individual accounts to specific IP addresses, and large marketing firms especially like websites that use free DNS service to quietly track said users across the session
3. Much like DRM, the account auto constrains a single user to a single IP. Makes sense... unless you run a business account with a dozen people clearing a shared inbox
4. SMS inbox phone numbers are $2.75, and that requirement is bypassed if the company smartphone hardware/emulation is in use for account "recovery"
5. SIM hijacking and email server snooping is far more common than people like to admit
6. People feel safer, but it only increases the CVE difficulty level slightly above third world skill levels
This is why we can't have nice things =3
It would require a lot of trust.
Similar and related discussions on this post:
If I had stayed there longer, I might have found a better solution for my personal situation, but the experience as it was left me pretty uncomfortable with mandatory SMS 2FA as a general security tool. I'm sure there are many other people running into similar edge-cases.
Talk to your provider, explain to them you get poor service at your home or place of work, and they'll send you a free Internet-in cellular-out radio AP. She doesn't need a tower-based booster if she's got fiber/cable/DSL, those only serve to amplify weak signals and she's too many miles and too many mountain ridges away from the nearest tower, she wants something with RJ-45 input, a little GPS antenna so the cell supports e911 location data, and it will broadcast LTE (or now 5g) cellular data.
I work at a shop with metal walls located in a river valley. It's a cellular data black hole. People used to climb the hill up the driveway to make and take calls, but various people called their ATT, Verizon, and T-Mobile providers and all three shipped us femtocells. Mow the users and the contractors/customers who come to visit can't even tell that their phones have switched to data over our ISP instead of a tower, it just works - including 2FA codes and MVNOs.
She may have to switch to first-party Verizon service instead of using an MVNO.
A lot of office buildings have these in them. I think the personal ones are how they get around some of the issues with government requiring them to build networks to certain coverage. They just don't build it out and when someone complains they offer them one of these.
(Fun trivia: Our office paid $XX,000 for AT&T MicroCells which wouldn't activate because they couldn't get GPS signal.)
You might even try to block incoming SMS. In fact, you might also try a forward with Twilio or free Google voice number, since a lot of SMS TOTP refuse to with with those numbers :)
I've even had success removing my phone number entirely from certain types of accounts, but sometimes I had to deliberately break the account (eBay) and then it tries to get you to confirm on each login which you can sometimes bypass by changing the URL or clicking the company logo.
Be sure to have strong security in other ways; strong, non repeated passwords.
But this is truly insane. Large banks don't even offer the option of TOTP but instead require far more insecure SMS. Maybe they'll offer RSA dongles, because they never bothered to remember when they all got completely leaked ten years ago or how they accepted $10M to completely compromise their constants.
What can you say, large enterprises are behind the security eight ball, as always! It's a tale as old as time.
https://www.wired.com/story/the-full-story-of-the-stunning-r...
https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-mill...
The point of SMS 2FA is tracking.
It's to force you to give them your phone number, for their own marketing, but also selling your customer profile to companies like Palantir.
This also makes the government happy, because they can scoop up your SMSs and they get a nice handy list of every service you use which makes warrants easier, but also gives them info about when you log in or do other actions on those accounts.
SMS 2FA costs these companies far more than TOTP would, but they still use SMS 2FA. That tells you everything you need to know...
Your carrier is already capable of redirecting your SMS messages to other carriers, that's what they do when you're abroad and roaming with a foreign operator. You could make a fake carrier that speaks the right protocols on the roaming side, but communicates with the customer over the internet (using an API or a proprietary app) instead of LTE or GSM.
This would essentially work like an SS7 redirection attack, but with the full knowledge and consent of the "victim." You could alleviate the security impact here by requiring SIM card authentication, just like a normal carrier does, which could be performed through the internet and an USB reader just fine.
Carriers would probably hate this and might not be willing to sign roaming agreements with such a company. I wonder whether a gray-hat route would be possible here, especially if the company was outside US jurisdiction.
This is THE problem with your idea. Congress would have to pass a law forcing them to do it, or they won't.
You'd probably have more luck physically keeping someone's SIM card, keeping it installed in a phone, and watching for new texts. Perhaps you could make a box that simulates 10 phones at once.
This has been essentially been tried multiple times, e.g. by FreedomPop and Republic Wireless.
On what grounds?
> I still think they have a good chance in court
Can you share the law you think was violated?
This does not seems plausible. I live in urban area but do not have good cellural connection at home and my mobile phones are usually route calls via home Wifi. All SMS come through. It is just a low-lever transport and I doubt it cares about message size or numbers.
- username
- password
- one time generated 16 digit number
- SMS confirmation
- email confirmation
- phone call with an associate
- retinal scan
- DNA sample
Whereas to log in on mobile all you potentially need is a 4 digit pin which a passerby could easily observe, then yank the phone from your hand?
I'm often traveling outside of the US, and my AT&T prepaid line most definitely does not roam outside of CAN/US/MEX. I spend the bulk of my time in WiFi calling mode. I have never had any issues receiving or sending SMS over WiFi, including to short codes.
Luckily this is starting to change. Apple's Passwords app does TOTP out of the box.
Though I am mystified why Google Authenticator doesn't come pre-installed in Android.
It didn't need bells and whistles and constant security updates, but it took 13 years for it to get cloud-sync support so you could backup your codes.
I have been using this setup for a few years now without any issues. Even when I am not roaming, I still have this setup on my primary phone. So when I am on my computer and need a SMS OTP I don't need to go find my phone, I receive it in email :-).
(Note : This doesn't work with MMS but I don't need them anyway)
Lately though, SMS works over WiFi calling and usually if I need a real SMS where Google Voice won't cut it, it can wait for WiFi...
I roam all the time in Europe and have roamed a lot outside of it, I have never had any trouble receiving any SMS?
also was surprised to learn from the article that some carriers don’t support the 2fa 5 digit numbers over wifi calling/sms. when I travelled abroad recently that was such a life saver since my carrier supports it
For example, I'm actually liking Walmart.com more than Amazon in some ways lately, but logging into Walmart.com takes minutes while I wait for the 2FA after I already password authenticate. So Amazon wins all the casual browsing and impulse sales, and by the time I do log in to Walmart.com, it's only because I know I want to order something from there specifically, and it's already feeling tedious.
Some off-the-cuff suggestions, since the worsening authentication experience really bugs me:
1. Present the email/username and password fields simultaneously, so the browsers like Firefox can fill out both fields. (A lot of site have started showing only the email/username to start, and also making that rely on non-login form field filling. And only after you type in your admin/email, because you don't form autofill in general, does it present
2. After user opts to authenticate with a password rather than SMS/email code, let them in, unless you're something like a bank or a medical provider. (Don't then make them do the SMS/email code anyway.)
3. If your mega online store handles HIPAA-sensitive data for some small percentage of visits, and you need 2FA for that, maybe only do the 2FA to upgrade the authentication confidence for session. (Or maybe the more sensitive data is on a different backend anyway, so as not to encumber all the developers implementing Wheaties logistics, with all the additional protections that are needed for medical records, nor to add additional weak links leading to leaks.)
4. When SMS/email 2FA is really necessary, send it immediately and reliably, and make it copy&pasteable. (Sometimes I wait minutes, and other times it doesn't come through at all. And I've even gotten email ones where competent-user text-selection picks up whitespace somehow, or even a weird unprintable Unicode character, which breaks the code entry when pasted.)
5. Those buttons to authenticate a variety of other sites are needlessly leaking information, and creating additional ways to compromise the account. (That's what you do if you want to reduce friction to first visits to your site, for which people aren't interested enough to create a password to use -- but not for logins from recurring customers.)
6. Don't prompt for "remember this browser?", and don't otherwise rely on the persistent tracking data deposited on the user's browser, across explicit authentication sessions, such as to decide whether to 2FA. For one reason, those persistent data mechanisms are overwhelmingly for shady abuse by the adtech/surveillance industry in shady ways, and are frequently cleared by privacy-conscious users. Any why is a bank, for example, complicating the UI, to ask ordinary users whether to lower their authentication security on this device, and expecting much sense out of that at all. Keep it simpler, more secure, and more responsible or respectable.
7. If you must support 2FA, make TOTP an option. And not TOTP-incompatible codes that requires installing your app, or that depends on some oddball third-party proprietary authenticator app/fob that seemed like a good idea at the time but is not a reason not to support TOTP. (You can still grandparent in the legacy proprietary 2FA, for those long-time users who've been using it, and be clever about not complicating the UI for those those dwindling users, nor for the increasing users using the more current open standard.)
SMS codes have been hit or miss, and this explains it well.
Calwestjobs•4h ago
SMS needs your number, your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.
gruez•3h ago
This is mostly a red herring because most of the places that require SMS TOP already have your full name/address (eg. financial institutions, healthcare providers) or are in a position to intercept communications that they can infer that information (eg. google). If apps/sites like tiktok wants my phone number for 2fa, they can fuck off, or get a burner number.
Calwestjobs•3h ago
same problem with signal messenger or facebook messenger building databases of numbers and contacts. neo4j clone from palantir.
globie•3h ago
"Most"? maybe "a troubling few"?
Phone verification is absolutely a widely exploited data mining opportunity, I don't see how it's a red herring at all. It's one of the worst surveillance mechanisms we live with today, only partially waved away with the 2000's concept of burner numbers.
PaulHoule•2h ago
reginald78•1h ago
lxgr•3h ago
"Enter this code only if you want to pay <amount> to <merchant>" is much more secure than "enter your TOTP here", which is a lot like issuing a blank check in comparison (and in fact required by regulation in the EU, for example).
Not even WebAuthN provides that property on a compromised computer; for that, you'd need something like the SPC extension [1] and a hardware authenticator with a small display.
That's unfortunately why we're currently stuck with proprietary bank confirmation apps that can provide it. I really wish there was a vendor-neutral standard for it, but given how push notifications work (or rather don't work) for federated client apps, I'm not holding my breath.
[1] https://www.w3.org/TR/secure-payment-confirmation/
vanburen•2h ago
This isn't great, but better then SMS and having to have a separate app for each authenticating service though.
A vendor neutral service would be a lot nicer.