As an aside, I hate the nuance-less "SMS 2FA is insecure" line. It's the weakest 2FA form for sure, but it's still so much better than not having 2FA. Even if you support multiple options depending on your product it may very well make sense to stick with SMS as the default to reduce friction.
They do.
Google's Authenticator is as close as it gets to a native Android app, and your secret keys are sync'ed in Google's cloud for a while now (it's a shame they waited so long).
Apple's Keychain has supported TOTP for ages too.
That said OTPs over RCS instead of SMS are a major improvement if you don't mind your phone number being used as an identifier.
I think that Google does not care about security for their users, because their passwords app is clearly some intern work, not something really well thought. They just slapped it to mark a checkbox in their "Chrome password autofill" TODO list and moved on to a more pressing issues like implementing user tracking and extracting more ads revenue. Apple had similar issues for years, but I think that their recent releases significantly improved.
I'm not sure we can blame Google for not pushing their Authenticator more, most services have been dead set on SMS and are now slowly moving to Passkeys, probably for the best.
What do you do if google/ms/apple won’t let you log in, or you lose a device, or you lose your phone?
If the answer is “there’s an account recovery path involving a password”, then just accept passwords!
If the answer is “recover the passkey provider account”, then that forces everyone to have a single password / security question / whatever that grants access to all their accounts.
edit: the app used to be open source: https://github.com/google/google-authenticator-android/
"By design, there are no account backups in any of the apps."
You can get service starting at $20 per month. Fi used to have good service in some mountain areas too, with US Cellular. Not sure what's going on with US Cellular right now though. Some kind of half acquisition by T-Mobile.
I always had problems with SMS until I got Google Fi. And that's a problem because, as the article here says, many banks insist on SMS these days. There are various services that give you a virtual number. But they always suffer from one of two problems: (1) VOIP numbers are 'blacklisted' by some banks for security reasons: they want a real cell phone number (2) I simply don't get SMSs in some cases some technical reason
Google Fi works everywhere. Even when there is no cell phone service: it will tunnel over WiFi.
Google shuts off the data on Fi after you've been outside the USA for a month. No problem, I'm happy to pay $25 a month for a 'dataless' connection that gives me SMS and voice.
* Tello
* Red Pocket
* Good to Go Mobile
If you’re looking for a real local phone number in the location you’re traveling to, then eSIM providers like Airalo can handle that (Airalo has “global plans” that support voice and SMS). Getting such a connection for voice and SMS, as compared to a data SIM alone, would be expensive. So you could get a data eSIM that works locally and use that for “WiFi” calling/SMS with the providers mentioned above.
To be somewhat more specific: while I travel extensively and am in the US often, I am often outside of it for more than a month at a time, and it appears that Google will shut off data outside the US if you use data outside the US for too long. If you are using a different SIM for the primary data connection, it appears that they won't even if you have it enabled as a backup.
The last time I checked if you wanted "cellphone is off" texting/voice (basically the old hangouts), you had to enable "fi syncing" which disabled rcs features. Is that still true? What url do you goto to do texts/voice? (i see hangouts.google.com redirects to google chat).
The terrain is rugged there, but it is not an "eccentric lifestyle"
It is extremely typical, however, to see the most basic needs of Appalachian people ignored on the grounds of their perceived choice of lifestyle
just this weekend I endured yet another incest joke.. I bet you have one of those ready too
Heck, there are places that are a 20 minute walk from Apple and Google HQ without cell service.
Many "eccentric" lifestyles are not chosen.
For instance not owning a smartphone or not having access to power easily is not necessarily limited to well-off tech-savv hipsters who want to make a statement, homeless people, older people in less connected areas or people in developing countries can also be in that situation.
When you make your services depend on specific access, and you give people without it no escape hatch, your service becoming successful usually means worsening access for people that have fewer means to adapt.
Interesting choice of vocabulary.
You could decide not to serve people without also describing them as freeloaders in order to feel morally righteous about your choice.
I think the discussion is less around "subsidizing" them and more why requiring a cellphone with 2FA to exist and do basic things is kinda stupid.
You were the one introducing this vocabulary (as well as claiming everyone living there does it by choice). Now you try to move the debate again with people "demanding" stuff. None of this vocabulary or framing exists in the original article, or in mine.
Let me clarify the question: why do you insist on framing this debate in a way that makes a moral claim about people's character?
I must be imagining the farms that I pass in the mountains in the middle of nowhere when I go backpacking. Surely your argument isn't, "My farm was here, so it's impossible for other farms to be in different locales"?
>I once...
My phrasing did not suggest "one time" (the phrase was "I pass", suggesting regularity), and it's not just one single farm, it's a few, and I've passed them many times. I have to agree with someone else[1] about your using vocabulary that others haven't introduced - I question whether or not a good faith discussion can be had because of that. Have a good one!
Recently former homeless person here. The Republicans in Congress refused to renew the Lifeline program in 2023 and the replacement is objectively worse in every single way.
> Not all choices need to be subsidized.
Ah yes, being homeless, a choice. I hope it never happens to you.
1. Has internet, has WiFi calling.
2. Has a cell phone, but the signal is crap at the house.
Before you answer, that describes my house exactly. And I live in Redmond, WA, and a 10 minute drive from the Microsoft main campus. Though the neighbors might disagree, there is nothing eccentric about my lifestyle.
I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.
Requiring Bluetooth and an Internet connection on your phone suggests that that's exactly what they removed on their side. Quite clever, if true – why pay for network connectivity if you can just piggy back on your customers'? (Nevermind those customers without a smart phone and data plan...)
Let's put it like this: The old ones (with a display) definitely do, because they can send email notifications. I would be very much surprised if the new ones didn't. The main reason for requiring the app isn't connectivity to the outside world, it is that they can save money on the terminal screens, which get vandalized frequently in some areas. The internet connection is probably a fraction of the cost of replacing those touch screens every few months.
I guess this would be easier in a beighbourhood laundromat with local clients, but in a hotel with many foreigners it becomes a pain with so many dependencies needed to use the washer and dryer.
2) Bluetooth can ensure that you are in proximity of the locker, otherwise you could accidentally unlock a locker while standing at the wrong rack.
2. Ask the cell phone company for a femtocell. These used to be called "AT&T Microcells" and they were cheap. I used one before cell service improved because I live in the mountains. But apparently AT&T don't make them any more and now they cost $2500.
https://www.waveform.com/products/verizon-network-extender-f...
3. Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal; I use it because I find it easier to use my laptop keyboard to type SMS messages than to use my thumbs on my phone.
It can't – how would it?
The only entity that can forward texts is the carrier, and I doubt that that service is integrated with all US carriers to somehow get them forwarded (which is technically quite difficult for various legacy protocol reasons).
Apple's satellite messaging service is the only solution I know of that can somehow hook into carriers' SMS home router (or IMS equivalent) infrastructure to intercept and out-of-band forward SMS.
Anyway, it’s probably possible to make a service like that. You might need to route through a country with permissive laws.
Allowing SMS interception without the home network's consent seems like a quick way to get offboarded as a roaming partner.
Are you sure it actually does this?
I thought it was a pseudo-carrier that could speak MAP / Diameter, and just pretended you were roaming with them when you used satellite connectivity, perhaps with the original carrier's knowledge and consent.
As far as I understand, that's how this kind of service usually gets implemented.
Would that approach also allow the extra functionality they seem to be offering, such as only recently messaged numbers and emergency contacts being able to send messages to satellite users, though? I suppose they could just reject all MT-Forward-SM with sender numbers they don't like?
> As far as I understand, that's how this kind of service usually gets implemented.
Do you have any other examples for solutions like this? Are you thinking of (pre-VoWifi) carrier apps or services that could receive texts, sometimes on multiple devices?
I'm building the opposite, using the modem and a Raspberry Pi to send me metrics from my cabin, but could easily work in reverse.
While prototyping I had it parse SMS messages I sent it.
Obviously not for everyone but we're on HN here...
PUSH approval could be used instead but then you need to download an app for every service you use, which isn't very convenient.
PASSKEYS offer a solution which will work on both web and mobile and don't require you to download an app for every service. But it's a new concept that people need to learn so how fast they will be adopted is yet to be seen.
The Secure Payment Confirmation [1] extension to WebAuthN supports using passkeys on third-party sites (think merchant checkouts) and including signed structured messages (think "confirm payment of <amount> at <merchant> on <today>").
It wouldn't be crazy to imagine authenticators with small OLED displays to provide an end-to-end secure channel for displaying that information, similarly to how cryptocurrency hardware wallets already do it.
Of course, this would require a certain popular hardware and software manufacturer with a competing payment solution to implement the extension...
SMS 2FA tied to your mobile number sucks if it doesn’t support Google Voice, especially when traveling internationally and your SIM card isn’t in your phone.
Email 2FA usually works, but I just find it annoying.
App-specific push notifications mostly work, but it’s hard to debug if you don’t get the notification. For example, I recently bought a new phone and all of my apps were reinstalled when I restored from a cloud backup. For some reason app notifications didn’t work until I uninstalled & reinstalled the apps. And reinstalling the apps was a bit confusing because some of the apps were not available in the app store based on my physical location in a different country at the time.
The server just needs to remember which TOTP codes have been used and to reject after the first use.
The code is no longer sensitive after it has been used, so jam it in a database that can expire tuples after a few minutes or stick it in an login audit table if you have one.
> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.
It pisses me off to no end. I use a few different banks and some are fine with google voice, others are not. One only allows customer service to send SMS tokens to google voice but not through the regular flow. In all but one case, they will happily robo call my google voice number and have a tts engine read me the same code that they didn’t want to SMS.
Security policy by rng, ffs!
It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.
It's inexcusable.
I really agree with it, but that’s probably their rationale.
Yes, a digital OTP generator is more susceptible in theory to theft or duplication than a hardware token.
Yes, the benefits of digital OTP are great compared to password only, more secure than SMS, and trivial to implement.
SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.
I registered it about 13 years ago. I didn't transfer it from a landline/cell phone, it was picked from a list of Google Voice numbers available in my area code. I've never had Fi.
Here's an example response (subscriber name redacted):
{
"data": {
"name": "LASTNAME, FIRSTNAME",
"line_provider": "Google/Bandwidth.com (SVR)",
"carrier": "Bandwidth.com",
"line_type": "landline"
}
}I was wondering about that, because I can't get google voice because I have google fi, so clearly it's using the same bank of numbers, but maybe once they are fi, they are ported to T-mobile instead of their own CLEC.
There are a few popular companies that blacklist VoIP numbers, but most don't. Even Chase, which historically blocked Google Voice, started allowing it a couple years ago.
*The bands acquired with the Sprint merger have service, but the cheap used phone I bought was pre-Sprint-merger and lacked those bands.
I can probably illuminate some things here. This is almost certainly the SMS API they're using. Your phone, and your network by extension, does not care if the phone is technically online - so those messages get received because they're literally sending in the blind (and if the recipient is offline, the message gets temporarily stored by the receiving carrier for around 3-7 days before it is discarded).
These SMS OTP systems validate "reachability" (using APIs like https://developer.vonage.com/en/number-insight/technical-det... and https://www.twilio.com/docs/lookup/v2-api/line-status) and will not send a message if a number is 'not' reachable. Unfortunately, as implied by the air quotes, these methods are not infallible. This is done to reduce the costs of sending the message (carriers charge a lot more for commercial customers) but this is definitely stupid for a already-validated number like in this case.
I have such a ported number and have no issues receiving SMS 2FA codes.
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
[1] https://en.wikipedia.org/wiki/Payment_Services_Directive
Ah. That explains why they asked for my life history when I tried to buy a local SIM in Italy.
Surely Ireland still allows them? If not, they're trivial to source from NI.
No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.
I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.
And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...
> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)
> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s
Completely different beasts. One is P2P, the other is A2P
...
"... unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons ..."
Correct.
This is, in fact, a terrible idea because even if you do find a VOIP provider that can receive SMS from "short codes" (the weird little numbers your bank sends codes from) that is a temporary oversight and will get "fixed" eventually.
Remember:
None of this is for your security or to help you. All of these measures are just sand in the gears to slow down the relentless onslaught of scam/spam traffic.
Your bona fide mobile phone number is a "proof of work" that these providers are relying on in absence of any real solution to this problem.
Exactly, and I simply refuse to do their work.
So, everybody wins. :(
Companies do SMS because their VP of security compliance demands 2FA and because it's easy and has mature existing third-party vendor support. No tinfoil hat needed for this one.
https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...
https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
I implemented 2FA for my previous employer and we would have gladly skipped SMS 2FA if we could get away with it. It's more expensive for the company and the customer. And it sucks to implement because you have to integrate with a phone service. The whole phone system is unreliable or has unexpected problems (e.g. using specific words in a message can get your texts blocked). Problems with the SMS 2FA is a pain for customer service too.
Maybe verizon is incompetent or malicious?
What happens if you’re overseas or in a cell dead spot with wifi? The latter happens to me all the time in the city.
It’s amazing how many hip “use your phone to order!” restaurants are in cell dead spots, and have set up wifi access points as a workaround.
The 4G router also has the benefit of being able to use externally mounted antennas. Which might help in low signal areas.
Not ideal, but might at least be a solution for some people.
[1]: https://wiki.teltonika-networks.com/view/SMS_Forwarding_Conf...
> she usually doesn't even have service 100 meters down the road.
An outdoor antenna would be better, but yeah more of a pain. I guess it really depends on how badly someone wants SMS.
SMS 2FA is terrible though.
2. People love binding individual accounts to specific IP addresses, and large marketing firms especially like websites that use free DNS service to quietly track said users across the session
3. Much like DRM, the account auto constrains a single user to a single IP. Makes sense... unless you run a business account with a dozen people clearing a shared inbox
4. SMS inbox phone numbers are $2.75, and that requirement is bypassed if the company smartphone hardware/emulation is in use for account "recovery"
5. SIM hijacking and email server snooping is far more common than people like to admit
6. People feel safer, but it only increases the CVE difficulty level slightly above third world skill levels
This is why we can't have nice things =3
It would require a lot of trust.
Similar and related discussions on this post:
If I had stayed there longer, I might have found a better solution for my personal situation, but the experience as it was left me pretty uncomfortable with mandatory SMS 2FA as a general security tool. I'm sure there are many other people running into similar edge-cases.
Talk to your provider, explain to them you get poor service at your home or place of work, and they'll send you a free Internet-in cellular-out radio AP. She doesn't need a tower-based booster if she's got fiber/cable/DSL, those only serve to amplify weak signals and she's too many miles and too many mountain ridges away from the nearest tower, she wants something with RJ-45 input, a little GPS antenna so the cell supports e911 location data, and it will broadcast LTE (or now 5g) cellular data.
I work at a shop with metal walls located in a river valley. It's a cellular data black hole. People used to climb the hill up the driveway to make and take calls, but various people called their ATT, Verizon, and T-Mobile providers and all three shipped us femtocells. Mow the users and the contractors/customers who come to visit can't even tell that their phones have switched to data over our ISP instead of a tower, it just works - including 2FA codes and MVNOs.
She may have to switch to first-party Verizon service instead of using an MVNO.
A lot of office buildings have these in them. I think the personal ones are how they get around some of the issues with government requiring them to build networks to certain coverage. They just don't build it out and when someone complains they offer them one of these.
Also because a lot of office and residential towers have people high above street level, and the buildings have radiation-minimizing windows so that no cell signal can penetrate. The cell companies put their sites 30 feet above the street, not 600+ feet up.
AT&T did try to add some additional tamper switches and protection inside their units so they’d brick if you opened them - that was known since the MicroCell era. I believe T-Mobile’s former CellSpots were also tamper-protected in the same manner (they both deployed Nokia LTE small cells).
AT&T also appears to now charge you for the privilege of deploying the newer Cell Booster Pros if you want 5G - I assume that cost ($30/mo per cell!) is basically covering licensing the backend for all of that.
Wi-Fi Calling uses a different SeGW endpoint and is pure IMS back to the carrier voice network, regardless if you shoot it over WiFi or back over a dedicated APN on the LTE network in the normal VoLTE fare.
So would a cell booster / network extender using eNodeBS ( https://en.wikipedia.org/wiki/ENodeB ) actually help in the scenario in the original article?
Or would it end up as the same issue with wifi calling, where "messages from 5 digit shortcodes often aren't supported over wifi calling" ?
(Fun trivia: Our office paid $XX,000 for AT&T MicroCells which wouldn't activate because they couldn't get GPS signal.)
Those come with their own set of problems. In particular, they have to be able to receive a GPS signal, which is often not possible in mountainous terrain. I had a microcell for years and it was nightmarishly unreliable. Not only would it regularly (but randomly) just stop working, it would give absolutely no indication of why it was not working.
Strange, because my AT&T Microcell didn't require a GPS signal. I kept it in the cabinet under the sink deep inside a large apartment building where there's no way it could get a GPS signal.
I haven't used since I moved a few years ago. Perhaps it's changed.
https://paulstamatiou.com/review-att-3g-microcell
"After giving the MicroCell some power and ethernet, it will start blinking the 3G and GPS LEDs. Wait, what.. GPS? Yep. To limit the MicroCell from working outside of test markets (or out of the country too), it must get a GPS lock on your location. AT&T suggests this should take no longer than 90 minutes. It took me about 5 hours."
And this was the fundamental problem: there was absolutely no way to know if progress was being made or if it was going to run forever. It was literally a real-world Halting Problem.
You might even try to block incoming SMS. In fact, you might also try a forward with Twilio or free Google voice number, since a lot of SMS TOTP refuse to with with those numbers :)
I've even had success removing my phone number entirely from certain types of accounts, but sometimes I had to deliberately break the account (eBay) and then it tries to get you to confirm on each login which you can sometimes bypass by changing the URL or clicking the company logo.
Be sure to have strong security in other ways; strong, non repeated passwords.
But this is truly insane. Large banks don't even offer the option of TOTP but instead require far more insecure SMS. Maybe they'll offer RSA dongles, because they never bothered to remember when they all got completely leaked ten years ago or how they accepted $10M to completely compromise their constants.
What can you say, large enterprises are behind the security eight ball, as always! It's a tale as old as time.
https://www.wired.com/story/the-full-story-of-the-stunning-r...
https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-mill...
The point of SMS 2FA is tracking.
It's to force you to give them your phone number, for their own marketing, but also selling your customer profile to companies like Palantir.
This also makes the government happy, because they can scoop up your SMSs and they get a nice handy list of every service you use which makes warrants easier, but also gives them info about when you log in or do other actions on those accounts.
SMS 2FA costs these companies far more than TOTP would, but they still use SMS 2FA. That tells you everything you need to know...
Your carrier is already capable of redirecting your SMS messages to other carriers, that's what they do when you're abroad and roaming with a foreign operator. You could make a fake carrier that speaks the right protocols on the roaming side, but communicates with the customer over the internet (using an API or a proprietary app) instead of LTE or GSM.
This would essentially work like an SS7 redirection attack, but with the full knowledge and consent of the "victim." You could alleviate the security impact here by requiring SIM card authentication, just like a normal carrier does, which could be performed through the internet and an USB reader just fine.
Carriers would probably hate this and might not be willing to sign roaming agreements with such a company. I wonder whether a gray-hat route would be possible here, especially if the company was outside US jurisdiction.
This is THE problem with your idea. Congress would have to pass a law forcing them to do it, or they won't.
You'd probably have more luck physically keeping someone's SIM card, keeping it installed in a phone, and watching for new texts. Perhaps you could make a box that simulates 10 phones at once.
This has been essentially been tried multiple times, e.g. by FreedomPop and Republic Wireless.
On what grounds?
> I still think they have a good chance in court
Can you share the law you think was violated?
And in the end, it's still a gamble that you may lose your case.
This does not seems plausible. I live in urban area but do not have good cellural connection at home and my mobile phones are usually route calls via home Wifi. All SMS come through. It is just a low-lever transport and I doubt it cares about message size or numbers.
- username
- password
- one time generated 16 digit number
- SMS confirmation
- email confirmation
- phone call with an associate
- retinal scan
- DNA sample
Whereas to log in on mobile all you potentially need is a 4 digit pin which a passerby could easily observe, then yank the phone from your hand?
I'm often traveling outside of the US, and my AT&T prepaid line most definitely does not roam outside of CAN/US/MEX. I spend the bulk of my time in WiFi calling mode. I have never had any issues receiving or sending SMS over WiFi, including to short codes.
Luckily this is starting to change. Apple's Passwords app does TOTP out of the box.
Though I am mystified why Google Authenticator doesn't come pre-installed in Android.
It didn't need bells and whistles and constant security updates, but it took 13 years for it to get cloud-sync support so you could backup your codes.
I have been using this setup for a few years now without any issues. Even when I am not roaming, I still have this setup on my primary phone. So when I am on my computer and need a SMS OTP I don't need to go find my phone, I receive it in email :-).
(Note : This doesn't work with MMS but I don't need them anyway)
Lately though, SMS works over WiFi calling and usually if I need a real SMS where Google Voice won't cut it, it can wait for WiFi...
I roam all the time in Europe and have roamed a lot outside of it, I have never had any trouble receiving any SMS?
Some phone plans in my home network do not support international roaming, or if they support then it is ridiculously expensive that it doesn't make any sense to take the phone roaming.
>> Some of the comments pointed out that this is hostile behaviour for people roaming as well
> I’m sorry how is this related to roaming?
This is called a "2FA Mule":
https://kozubik.com/items/2famule/
I have done this for 4+ years now and it works wonderfully. Good for you!
also was surprised to learn from the article that some carriers don’t support the 2fa 5 digit numbers over wifi calling/sms. when I travelled abroad recently that was such a life saver since my carrier supports it
For example, I'm actually liking Walmart.com more than Amazon in some ways lately, but logging into Walmart.com takes minutes while I wait for the 2FA after I already password authenticate. So Amazon wins all the casual browsing and impulse sales, and by the time I do log in to Walmart.com, it's only because I know I want to order something from there specifically, and it's already feeling tedious.
Some off-the-cuff suggestions, since the worsening authentication experience really bugs me:
1. Present the email/username and password fields simultaneously, so the browsers like Firefox can fill out both fields. (A lot of site have started showing only the email/username to start, and also making that rely on non-login form field filling. And only after you type in your admin/email, because you don't form autofill in general, does it present
2. After user opts to authenticate with a password rather than SMS/email code, let them in, unless you're something like a bank or a medical provider. (Don't then make them do the SMS/email code anyway.)
3. If your mega online store handles HIPAA-sensitive data for some small percentage of visits, and you need 2FA for that, maybe only do the 2FA to upgrade the authentication confidence for session. (Or maybe the more sensitive data is on a different backend anyway, so as not to encumber all the developers implementing Wheaties logistics, with all the additional protections that are needed for medical records, nor to add additional weak links leading to leaks.)
4. When SMS/email 2FA is really necessary, send it immediately and reliably, and make it copy&pasteable. (Sometimes I wait minutes, and other times it doesn't come through at all. And I've even gotten email ones where competent-user text-selection picks up whitespace somehow, or even a weird unprintable Unicode character, which breaks the code entry when pasted.)
5. Those buttons to authenticate a variety of other sites are needlessly leaking information, and creating additional ways to compromise the account. (That's what you do if you want to reduce friction to first visits to your site, for which people aren't interested enough to create a password to use -- but not for logins from recurring customers.)
6. Don't prompt for "remember this browser?", and don't otherwise rely on the persistent tracking data deposited on the user's browser, across explicit authentication sessions, such as to decide whether to 2FA. For one reason, those persistent data mechanisms are overwhelmingly for shady abuse by the adtech/surveillance industry in shady ways, and are frequently cleared by privacy-conscious users. Any why is a bank, for example, complicating the UI, to ask ordinary users whether to lower their authentication security on this device, and expecting much sense out of that at all. Keep it simpler, more secure, and more responsible or respectable.
7. If you must support 2FA, make TOTP an option. And not TOTP-incompatible codes that requires installing your app, or that depends on some oddball third-party proprietary authenticator app/fob that seemed like a good idea at the time but is not a reason not to support TOTP. (You can still grandparent in the legacy proprietary 2FA, for those long-time users who've been using it, and be clever about not complicating the UI for those those dwindling users, nor for the increasing users using the more current open standard.)
I would want to see X.509 client authentication used more often. It has many advantages, such as:
- Cookies and JavaScripts are not required.
- The credentials cannot be stolen. (With TOTP, the credentials can be stolen for one minute. I have been told that some implementations only allow thirty seconds, but that can cause problems with legitimate authentication if the clock is not precisely synchronized.)
- It does not require a web browser; it can also be used for command-line access as well (rather than using API keys, which are really just another kind of passwords, with the same problems).
- It is independent of HTTPS; it can be used with any protocol that uses TLS (which includes HTTPS but also others). Therefore you can authenticate with multiple protocols if wanted.
- The private key can be passworded for additional security, if desired. (This means that it can already be like a kind of 2FA, but on the client side instead of the server.) This password is never sent to the server.
- If permitted, the keys can be used to sign data which is distributed, allowing other receivers to verify it. This is true of using public/private keys in general, even without X.509. (If X.509 is used, the keys might or might not match those used with X.509, and this might be mentioned in extensions inside of the certificate.)
- They can be used to allow using credentials from one service to log in to a different service if the user intends to do so (and the service allows it, which it should not be required to do). No authentication server is needed for this, since the necessary information is included within the certificate itself. (The buttons to authenticate a variety of other sites, that you mention, also will be unnecessary.)
- Partial or full delegation of authorization is possible (if the service that you are authenticating with allows it). Each certificate in the chain can include an extension specifying the permissions, and the certificate chain can be verified that each each one has a (not necessarily proper) subset of the permissions granted to the issuer certificate.
- You could have an intermediate issuer certificate to fully delegate authorization to yourself (as mentioned above), where the corresponding issuer private key is stored on a separate computer that is not connected to the internet, in addition to being passworded, for additional security, if this is desirable. If the certificate that you are using to authenticate with the service is compromised, you can create a new one with a new key and revoke the old one.
- Some services may allow you to authenticate with any OpenID identity provider, including making up your own. X.509 is a better way to do something similar; if self-signed certificates are allowed, then anyone can make up their own, without requiring to set up an authentication server. OpenID also allows additional information to be optionally provided, and this is also possible with X.509 (without the additional information being limited to a fixed set of fields or being limited to Unicode). Also, OpenID requires a web browser but X.509 doesn't require a web browser.
- DER is a better format than JSON, in my opinion.
(However, I also think that TLS should not be mandatory for read-only access to public data. TLS should still be allowed for read-only public access though; it should not prohibit it. The use of X.509 client authentication means that you can't authenticate with unencrypted connections by accident, anyways.)
It would still be possible to support 2FA if this is desired because some users prefer it (and when doing so, it should do the things you mention, since they would avoid some of the problems with existing systems), but should not be required.
But with the current browser support, client certs haven't seemed viable for consumer sites. Unless the browser developers are inspired to offer better support for mass consumer users, but I couldn't make a strong case why they should.
(I'd rather most consumer sites resume making password authn work well, and then have them integrate 2FA judiciously and well. And stop with some of the counterproductive surveillance capitalism mechanisms.)
OK, I agree, stop with the counterproductive surveillance capitalism mechanisms.
Making password authn work well (using the ideas you mention about improving it) and integrating 2FA (also improving it in the ways you mention), would also be OK, although that should be an alternative choice, so that users who do want to use X.509 and are able to do so, can use that more secure mechanism and not requiring other mechanisms. The 2FA really shouldn't be required especially when it causes problems (such as the ones mentioned in the "SMS 2FA is not just insecure..." article, but also such things as the set-up for 2FA not working very well in GitHub, some mechanisms requiring JavaScripts, etc); those who want to and are able to use X.509 should so that instead.
Another thing that I dislike is the "security questions" such as your date of birth or your mother's maiden name or whatever, which do not help with security at all, and those should not be used at all.
SMS codes have been hit or miss, and this explains it well.
We have known for decades how to do better than that. The fact that at least twice a month (often much more) I read an HN comment saying passwords are great is like discovering most of your friends don't know about germ theory still. I feel so fucking tired.
With a Shared Secret system the person authenticating you can give away the fucking secret and we already know we live in a society where they will blame you and act as though there's nothing they should have done better - that's what "Identity theft" is - blaming other people for the fact you didn't do your job properly.
When you use Human Memorable secrets the humans try to remember them, which means they're usually very low quality, dog's name, favourite band, that sort of thing. Worse, since humans can't remember many things they usually choose only a few and re-use them, so now they're not only a Shared Secret they're also Reused which is even worse.
So then we end up with a whole pile of kludges to try to use "passwords" which aren't really memorable, losing most of the benefits yet still retaining most of the disadvantages. This is an awful situation to be in, it's taken a considerable amount of laziness and incompetence to achieve it.
Passwords do have some benefits. They dont require a phone, it being charged, and fetching it 5 times to go through a couple services. They can be used from any machine.
Yes theyre not as secure, but as user Id prefer to be able to choose for myself whether I want to opt in for additional security. For most sites I dont even give a shit if my account gets hacked, and I have to go through a ton of annoyance everyday for no reason
(However, for some uses, signed messages which can be verified by anyone would be better, in case the message is intended to be public anyways; this is independent of the protocol.)
> and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default. and then when trying to find an app to use for it, you're presented with a multitude of high-stakes choices, and often pretty technical explanations if you start internet searching about which app to use.
A reminder that mandatory iOS App Store / Android Play Store / (Xiaomi store ???) is even less acceptable than SMS 2FA unless maybe you're a USA(/Chinese) citizen living in USA(/China).
i.e. there is no way to contact the carrier and get the number reassigned to a new SIM unless one first registers the SIM, and hence binds the number to a known identity.
As someone who has dealt with 2FA support, all the methods suck.
SMS 2FA is least secure but has broadest support with quickest recovery method.
TOTP Applications (Google Auth, Authy, iOS Passwords) is more secure but people switch phones, lose phones and so forth and recovery is always a nightmare.
Yubikey and like have cost problem and you still have recovery problem.
A clear solution in my mind is having the Federal Government run some form of centralized hardware based system where hardware could be replaced by government office after verifying identity. Government does this already for DoD CaC cards. However, in the United States, Privacy Advocates would lose their minds, and funding would constantly be under attack.
So yea, I get SMS 2FA is hostile to mountain people but 2FA is hostile to login services and executive yachts.
Privacy of authentication may be a valid concern (e.g. during voting), but I don't see how it applies here. If what I want is to confirm to the bank that I am who I am, with all the details about me that I have told the bank already anyway, I very clearly and openly forfeit my privacy. I explicitly ask to be precisely identified.
This seems like a rather specific problem that isn't related to mountain people as such but services blocking "shortcodes" apparently for a variety of reasons. It is true that text and call reliability is becoming a real problem generally where you have these authentication issues. I myself in the mountains and have dealt with reliability issues.
Here's a discussion of this specific problem with T-mobile: https://www.reddit.com/r/tmobile/comments/ardcnc/aargh_final...
Calwestjobs•7h ago
SMS needs your number, your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.
gruez•6h ago
This is mostly a red herring because most of the places that require SMS TOP already have your full name/address (eg. financial institutions, healthcare providers) or are in a position to intercept communications that they can infer that information (eg. google). If apps/sites like tiktok wants my phone number for 2fa, they can fuck off, or get a burner number.
Calwestjobs•6h ago
same problem with signal messenger or facebook messenger building databases of numbers and contacts. neo4j clone from palantir.
globie•6h ago
"Most"? maybe "a troubling few"?
Phone verification is absolutely a widely exploited data mining opportunity, I don't see how it's a red herring at all. It's one of the worst surveillance mechanisms we live with today, only partially waved away with the 2000's concept of burner numbers.
PaulHoule•5h ago
reginald78•4h ago
lxgr•6h ago
"Enter this code only if you want to pay <amount> to <merchant>" is much more secure than "enter your TOTP here", which is a lot like issuing a blank check in comparison (and in fact required by regulation in the EU, for example).
Not even WebAuthN provides that property on a compromised computer; for that, you'd need something like the SPC extension [1] and a hardware authenticator with a small display.
That's unfortunately why we're currently stuck with proprietary bank confirmation apps that can provide it. I really wish there was a vendor-neutral standard for it, but given how push notifications work (or rather don't work) for federated client apps, I'm not holding my breath.
[1] https://www.w3.org/TR/secure-payment-confirmation/
vanburen•5h ago
This isn't great, but better then SMS and having to have a separate app for each authenticating service though.
A vendor neutral service would be a lot nicer.
Calwestjobs•2h ago
or as you pointed out, signing it on smartcard with keypad reader.
but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline.
and there is no way for attacker to MITM, and here lies the problem. companies can not blame you as easily as with currently deployed technologies... they hide breaches all the time, f... PCI
lxgr•1h ago
There totally is! How do you know you're entering the TOTP on a legitimate website?
WebAuthN prevents that, both by not letting you use a given key on the wrong website, and by including the origin in the signature generated using the key which the relying party can then check for plausibility.