333 comments

[ 2.6 ms ] story [ 271 ms ] thread
Counterpoint: SMS login and account recovery is good UX, and it's the telcos that need to step up their collective game.
From the article: > For many years, people in the industry have invariably said something like: "Well... offering SMS-based authentication is better overall for customer security, because of its convenience (despite its shortcomings) vs other methods" (such as the far-more secure use of email for verification). To that I say: "who are YOU to deprive your customers of security?"

and

> Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.

and

> Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber's onboarding) and handle password resets, and companies felt they had to match competitors' adoption of this technique.

This last bit was unfortunately overwritten in a Wordpress post update, and I added it back.

> such as the far-more secure use of email for verification

Hmm.. sure? They have different threat profile. Don't think it is more secure.

There is a straightforward manner to overtake your phone number (call your carrier and use social engineering). There is nothing you, the customer, can do to lock that down. (I've tried with my carrier.)

With email, you can lock that down with robust 2FA (Google Authenticator/Authy/etc) and crooks have no straightforward way of defeating that.

This is how it plays out year after year and why SIM-swap gangs are so prevalent.

Telcos are not responsible for using fingerprint or facial recognition as joint user+password.

When it comes to good UX it’s important to clarify whose goals it’s best for: compromise security for convenience and adoption of an app?

Or setting up the user to succeed more.

SMS is a lazy form of 2Fa. it reminds one of the descriptions of sms being an open postcard.

Theatre and pageantry have limited value where it sets users up for much worse

You know that they won't though, so why even make this argument?
By that logic, consumers and tech companies won't change either and we can bypass this whole discussion.

I live in a part of the world where, on occasion, governments decide to regulate such things.

No, it's not, and it's fucking annoying to deal with. I am on my desktop computer, stop sending me to my phone just to log in because you don't want to support FIDO or some other form of real 2FA. There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB. Fucking use it
> There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB.

Great! Not everyone has that! I do but if I could only implement one type of 2FA I'd probably still pick SMS.

Everyone can get an app on their phone or computer that supports TOTP, such as Google Authenticator

https://en.wikipedia.org/wiki/Time-based_one-time_password

What happens when they smash their phone and now you have to do account recovery? With SMS authentication you can presumably offload that to the carrier.
The problem is customer support load. Also what does the company do about those without a smartphone? No smartphone no service? This is why businesses peg account authentication to phone numbers. It offloads IAM overhead to phone companies.
Who cares. Spend the money on customer service people then. Companies don't need all the profits they make and investors dont need their 10000x returns when 9900x will do just fine.
Here we are on a website centered on an industry that has "solved" customer support by having zero live support. It's RTFM (or FAQ). Sometimes even paying customers get this treatment.
Far far more people have a biometric reader or smart token than have a cell phone.

Smart phones are obviously phones and have biometrics. What you're left with is comparing the number of people with non-smart phones (~31 million in the U.S.) to the number of people without smartphones but who have biometric tablets, Windows Hello-enabled computers, PIV cards, etc.

Do you have statistics on the number of people who do not have smart phones but do have these other devices? I am not sure the intersection is as high as you imply.
The only people who don't use smartphones and don't have an iPad or similar tablet and don't have a recent computer... probably don't benefit enough from 2FA to justify the risk of account lockout.

In my social circle, the people who don't have smart phones are:

- People with disabilities that make reading from a small screen or texting a lot impractical.

- People who work in harsh environments who want something more rugged than a device made out of glass.

- People wary of the distraction of carrying around an entertainment device.

All of these people except one also have an iPad (especially the first group, as the larger screens help a lot). The one who doesn't does have a Dell XPS 13.

[flagged]
[flagged]
the sheer number of even just active phones in the world right now, vastly outnumbers the amount of biometric/card readers ever made, combined.
I don't know about in the world, but there are approximately 325.4 million people in the U.S. with an active cell phone. https://www.consumeraffairs.com/cell_phones/how-many-america...

Of those, approximately 309 million (95%) own a smartphone. https://www.consumeraffairs.com/cell_phones/how-many-america...

Any remaining gap is filled by a single year worth of iPad sales; or filled by just U.S. DoD-issued X.509 certificate cards.

It's shocking to me how many people are vastly underestimating how many biometric devices and smart tokens are in existence.

I would wager the number of people in the US with a smart token (I’m assuming you mean something like a Yubikey, ≈22M worldwide, most users have two) is probably close to 1:1.

I would also wager the number of people with dumb phones are close (but not as close) to those having computers without any biometric capabilities (and if they have them, they’re not set up).

The macOS/iOS integration for autofilling SMS 2FA is so convenient due to this. Basically everything I do online now requires it.
When it works.

I switched this off by choosing the wrong answer to some vague prompt and could never figure out how to re-enable it. Assuming it's like the many iOS settings that can be reverted only by resetting the phone to factory defaults.

It doesn’t work on all sites and apps, which is an annoyance. Why it can’t intelligently offer the SMS OTP when a user is just waiting on an input field and an SMS comes with a code is beyond me. They should be able to decipher the messages, regardless of variations in formats, and know the code.

BTW, the setting to enable or disable this seems to be under Settings->Passwords->Password Options->AutoFill Passwords and Passkeys. Turning it off and on may also work (as these things tend to behave across devices and operating systems).

I feel like it works 99% of the time for me, can’t name a website where it doesn’t.
Hey look, a bunch of disjointed, vendor-specific non-standards that become impossible to support. Imagine some hapless Filipino support agent trying to explain to an irate customer their YubiKey drivers are borked.

Why don't we just issue everyone PIV smart cards?

Non-standards? They all implement the WebAuthN standard.
I don't know about the windows side of things, but on Mac I imagine there's just one fingerprint API to support, same with face id. Yubikeys either work or get their drivers from the cloud like most other devices nowadays. I also dont know much about what android has, but I would be suprised to learn if there wasn't native support for the various standards that are in place today, even if manufacturers aren't using it.
> Why don't we just issue everyone PIV smart cards?

Particle Image Velocimetry?

Penis in Vagina?

Pentium 4?

Edit: Hah! Personal Identity Verification!

From the examples I've seen, the attackers essentially become the customer. They've either socially engineered the customer or done research to gain access to enough information to validate themselves as the customer. Come up with a solution and sell it. You'll make some money.
Well that got me thinking. You could stand up a third party verification service and sell the offering to companies that don't want to be bothered with authenticating the user. Something like Okta (I know, bad example when talking infosec at the moment) for real life.
They won't pay for it
With the right legal language, I think they would.
I just realized this does exist (kinda) in the US with identogo. Could be an easy service offering for them or a partner for another company focused on the mfa issue.
There are numerous ID-proofing services out there.
Somebody already pays for it. Once regulations ensure that it's the companies skimping on KYC themselves, most will happily outsource that task to the cheapest (compliant) provider.
They pay for Twilio.
That's kind of the point, US Telcos don't really validate customer identity - probably because they can't, due to the general limitations of USA documents leading to relatively easy identity theft where merely having enough information is sufficient to impersonate someone. (A simple test - is your verification process likely to stop someone's parent, spouse or sibling from impersonating them? If no, you're not really verifying identities.)

It's not something where a private entity can sell a solution, you need a more solid root of trust for verifying actual identities, like many other countries do, but that's not going to happen in USA any time soon.

while it works well a majority of the time, it results in an exceptionally bad UX if you lose your phone, don't have reception, or are traveling outside of your service area
I once worked in a building with terrible cell reception. I hated anything that required SMS for 2FA because I'd have to go outside to get the text message.

My in-laws lived in an area with poor cell reception too. Whenever I'd go there, I couldn't use SMS either.

Both of those places had good Internet service. Any time SMS was required, my UX was terrible. Hooray for anyone who supported TOTP, email, or any other form of 2FA.

I wrote a comment 11 days ago talking about SMS for a second factor, but it applies in general as well: https://news.ycombinator.com/item?id=39130032 Email is better, for sure, but mostly because email providers are either controlled by the user (for us nerds with a custom domain) or a large, impersonal entity (google or similar). Neither is available to change by attackers in the same way as phone number providers are.

I work for an identity provider and we have a number of folks who want us to support this, almost always from a UX perspective.

I think that there also needs to be some onus on the phone providers, as suggested above. With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.

> With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.

No, we need to push back on this user-hostile trend, not stick on yet more band-aids.

Phone numbers are country-specific, impossible to own in any meaningful way for private individuals (unlike e.g. domain names), and add an unnecessary point of failure.

Counter-counterpoint, when companies implement a system with a known flaw, then they're responsible for the consequences of creating that system.
OTP can be social engineered, hardware keys can be stolen, who determines what constitutes a flaw?

Edit: also, do both pay in this case? The telcom and the service?

That’s a problem with the user, not the protocol or the system, users have been and will be always the weakest point, but they are accountable for it if it happens, not the case for sim swap attacks.
Yes, true. However- to paraphrase a red team operations book I read, if the user can be tricked into into compromising your security with a click, then you can't blame the user. An organization's defensive security strategy should not hinge on a single user's decision to click or not.

Edit: I am swapping users with you, sorry for the confusing reply. I'm thinking telcom employee, you user of the app that got swapped (I think, apologies if I am wrong)

Ha! I was going to say if you solve the user vulnerability then congratulations, all systems are mostly safe! Before reading that you meant telecom employees.

The reality is TOTP despite any issues, is far more secure and available than SMS, security for obvious reasons but also availability, you can have your TOTP token accessible everywhere (say in your password manager) but if you can’t receive an SMS because you lost your phone or maybe traveling, then you are in a tough position, maybe even locked out completely. I personally even back up the TOTP tokens so I can reuse them without being tied to specific platform/app (I am looking at you Authy!)

I completely agree with you.
If having your account hijacked is is a good user experience then I have no idea what UX means.
Maybe SIM swapping shouldn't be so easy in the first place.
Sure, agreed, but until that changes stop using SMS for 2fa systems.
I completely disagree. Using a corporate account for personal identification is a major failure of public infrastructure.

The US government should step up it's game.

An individual's identity financial transactions should NOT be determined by holding an account at one of 4 mega-corporations.

We should work towards something in this direction: https://e-estonia.com/solutions/e-identity/id-card/

Getting the government involved in this is the only worse idea than delegating to 4 major corporations. It should be delegated more broadly and users should have more options not less.
It's obvious that government is already involved with everyone's identification.

This is analogous to the argument that government shouldn't be involved in "the free market", when the market is actually defined by the laws that regulate it.

Let's just call this the "Texas Delusion"...

Governments can be changed by democratic processes, corporate decision making is completely inaccessible to the public.

Do people really think life would be better if goggle just ran everything?

I’m so happy other people think this too!!! No one trusts the government, but usps is still offers pretty good privacy. I want mandatory acceptance of a gov issued ID, but at the same time i want to be able to use things anonymously.
Not everyone has (or wants) a phone or to grant control of their life to a cell phone carrier
Yes having an SMS sent to a number you no longer own is great UX.
If you don’t have your phone; if you’re abroad and don’t have SNS; if you’re in a building with no service; if you changed your phone number, they all suck.

Also, another valid point is that often times it’s hard to tell what’s a legitimate SNS message and what’s phishing. Their phone numbers are always gibberish and sometimes change between requests.

If you never move internationally, travel abroad, are outside cell coverage, and don't value security too highly, it sure is.
Any auth mechanism that requires a trusted third party is hardly an auth mechanism at all.
>Counterpoint: SMS login and account recovery is good UX, and it's the telcos that need to step up their collective game.

Oh, yeah, fantastic UX.

I've had my phone and credit cards stolen while traveling abroad (such a hard-to-imagine scenario, innit?), and was consequently locked out of all important services.

Very good UX: being left without a phone and access to bank account and email and most messengers at the same time (thankfully, Skype isn't one of them).

Double props to CitiBank for requiring SMS authentication to change the phone number on the account.

I agree that SMS is a terrible multi-factor.

But it caught on because asking people to install an app is a massive ask. Not to mention, people never save those recovery codes.

Sure, you can use Authy and back up your codes but that’s pretty much squarely in the “for technical people” camp.

So at the end of the day, SMS is the only real solution for your average normal person. Let’s get cellular carriers to make SIM swapping harder.

My bank made me install Symantec VIP. Yuck. To do my tax I need MyGovID. Also Yuck.
How did the bank “make” you do this? Does your country only have one bank?
As much as I hate the apps, I'm not prepared to refinance my house just to avoid installing them on my phone. Especially when the other banks probably have the same policies, or will soon.
(comment deleted)
Google Authenticator now syncs to your google account.
I’m not even sure this is a positive thing.
You can opt out of it thankfully.
I have always saved my dtrings in a separate keypass database.

New Google Auth takes a second or 5 to show accounts. I use old apk because that one shows accounts in a millisecond.

iOS’s inbuilt password manager supports TOTP second factor authentication right in the operating system, no app needed.
Yeah but no normie knows about it. It never prompts to store them.
Isn't the point of a second factor that it's... Not the same as the first factor?

My TOTP app password is one of the few that don't go into the password manager. Might as well make 'em compromise each separately.

Eh. It still makes the credentials rotating credentials instead of permanent credentials. If your username + password + single TOTP value gets stolen, they won't be able to re-auth once that credential gets invalidated.

So say a site accidentally logs auth attempts, and someone finds the log. Sure, they know your username + password now, but they don't know a good current TOTP value. And TOTP values are supposed to be one-time-use, so even if they catch it quick it'll be invalid very fast.

Its better than not having TOTP, but not quite as secure as it could be. Theoretically its still something you know and something you have in that its something you "know", the static password, and something you "have", the rolling TOTP generator.

If the password manager was compromised (not accessed without permission, but updated without permission) then it wouldn't be just the single TOTP value that leaked, it would be the underlying key.

On a mobile device you might be a bit limited in how "distant" you can keep the two, since the vendor is typically almighty in that scenario. But in general, you have options and you might as well avoid keeping both eggs in the same basket.

That's one vector of my "not quite as secure as it could be" statement was thinking about. Or of someone just managed to steal your phone and break into it.

But, there are still other attacks that this setup protects against.

Two-factor isn't "two device", two factor is two factors of authentication, where factors are generally:

* something you know (password) * something you have (key handshake, totp generator) * something you are (biometrics)

Storing your TOTP secrets next to your hard passwords is putting eggs in the same basket, I agree. But I'd prefer someone do this than just forego adding TOTP or multi-factor entirely.

And in the end, even if you used two different apps on your phone you're still putting all your eggs in the same basket, which is a trade off tons of people are going to do. Even a lot of very security-conscious users will end up with some TOTP app and a separate password manager, chances are both apps will be installed on the same device. If that device gets thoroughly compromised there's potential for both apps to be attacked and compromised.

If your OS vendor shipping malicious code is a realistic threat to you, or at least attackers being able to impersonate your OS vendor, you're probably going to end up getting compromised even if you split it out into two apps. You'd probably just want to avoid TOTP entirely and move to physical hardware cryptographic tokens.

Accessing TOTP or passwords in the iOS built-in password manager requires someone to (1) have your phone; (2) pass a biometric authentication or a passcode authentication.

That's the two factors right there.

Or to be able to push updates to the iOS built-in password manager: one factor.
My threat model doesn't include Apple or Google, the maker of the operating system. If you assume they could push an update to the built-in password manager, you need to assume they could push a keylogger that exfiltrates both your regular password and the password for your TOTP app.
Fair enough. They're who I'm mostly worried about.

I've got the Google apps in a sandbox, so I think if they pushed such a thing they could only spy on my logins with them.

Not that I have supreme faith in GrapheneOS to keep google in its box on a device that google made, but I do hope that it represents enough friction that I get excluded as an outlier from whatever abuses occur.

It worked for every single card-issuing bank in Europe.

SMS are fortunately both expensive enough there to make them uneconomical for banks to use them as an OTP factor, and have been found too insecure for payment authentication by themselves, requiring a second factor.

This has practically lead to banks offering something more secure and/or ergonomic, e.g. bank-specific authenticator apps (which often work without internet, and always work without cell signal, e.g. when traveling internationally), hardware authenticators, WebAuthN etc.

> Let’s get cellular carriers to make SIM swapping harder.

No, let's get financial companies to step up their game and offer something not liable to both security breaches and locking out users (when traveling, losing access to their number etc.)

Many banks and card issuers are using SMS for 2FA in Europe.
No bank is using (only) SMS as an authentication factor for 2FA. It's not allowed under the EBA's technical interpretation of the PSD2 regulation. Some banks do still allow it as a fallback option, together with another factor, e.g. a password or other knowledge factor.

My bank even made it a paid service, which I fully support – SMS is extremely overpriced.

I'm in the UK, so our implementation of the PSD2 regulation may be a bit different (in came in while the UK was leaving the EU), but I get SMS 2FA codes from American Express all the time in the 3D Secure process.
Some banks do still allow SMS by itself as the only authentication factor (presumably because they haven't got around to updating their solution or maybe think they've found a workaround), but it's not compliant with the PSD2 regulation in the EU at least. The solutions I've seen usually use a password or security question as the other factor.
I wouldn't generalise an entire continent like that. Both my Bulgarian and Austrian bank accounts have SMS-based 2FA on online transactions and logins. Some banks in Bulgaria allow to use eSignatures as 2FA but afaik that has seen tiny adoption in the consumer space.
I don't know about Bulgaria, but in Austria, verification apps are very popular and I don't know many banks that still allow SMS-OTP for e.g. 3DS authentication or online banking transaction confirmation.
SMS pins are anything but secure.

Adding an Authenticator app much better.

It’s a tough pill to swallow the argument that one of the most widely used and beloved features (autofill codes from SMS) is against the best interests of the user.
The argument is that autofill makes it so easy, that users accept it and companies are more likely to adopt SMS-based flows, right? Autofill doesn't seem inherently bad.
iOS Autofill of one time codes works with email and with true TOTP codes. Authenticating a user securely on their phone can be seamlessly secure without relying on SMS.
It’s a much easier pill to swallow if said user has a US phone plan and ever tries traveling abroad.

Good luck getting those SMS codes. And good luck getting the US carrier to not shut off your plan if you travel for longer than a few months.

Well that's because US exceptionalism itself. More or less the rest of the world uses exactly the same tech for mobile so cellular roaming works in every country. It's the US carriers that try carrier proprietary tech to trap their customers into their networks.

I never had problems with getting SMS around the world with roaming. It just works.

I've never had problems with using SMS + wifi around the world without roaming.

(I've had that problem domestically, due to having laptop internet with no wifi password, though.)

Mobile network operators should be blamed too.

Now that said: in the EU (well in France at least), the biggest operators are teaming up and coming up with an interesting system called "SIM Verify" which is specifically crafted to make the life of SIM-swappers sad [1].

Basically companies relying on SMS can verify if a SIM card has been recently swapped and then act accordingly (like, for example, not allowing a password reset by SMS 30 minutes after a card has been SIM swapped).

I'm not saying it's a panacea, but it's a start (and it's all compliant with the EU's GDPR).

https://www.sfrpay.fr/Nos-solutions/Mobile-ID/SIM-Verify

Thanks for highlighting this initiative, I'll add it to the article. And Done.
Or just make it harder to get a new sim card. Why is this so difficult? Only send the card to the correct address etc.
> Only send the card to the correct address etc.

That is pointless in the days of eSIM, and even before that it would result in a lot of trouble as a lot of countries don't require people to register a new residence at some government entity that can act as a source of truth.

Lets try the same logic everywhere else.

Companies embracing password login should be blamed for sticky note thefts.

Companies embracing email 2FA should be blamed for email account theft.

I dont know if this holds up hey. We see this time and again. An entity that does not break the law, makes itself available to the law, and its customers get hit by a criminal entity that does not follow the law. Because we cant snap our fingers and demand the government make thieving criminals double or triple illegal, people reach for a largely innocent party and want to make their lives worse.

Take a deep deep breath and let it go. Theres no unharmful level of punishing the innocent on behalf of the guilty.

This is going to sound wild and crazy but the people swapping the sim should be blamed for the sim swapping attack. What? Blame the criminal? I know its a bold stance but its correct.

Thats a strawman fallacy. You can control not writing your sticky note.

You cant control a sim swap attack.

> Lets try the same logic everywhere else.

The difference between SMS 2FA and the examples you mentioned is that the former is literally impossible to use securely because there is (AFAICT) no (American) consumer mobile provider that implements proper safeguards against unauthorized SIM swaps and similar. Any company implementing SMS 2FA ought to know this, and any company knowingly implementing a deeply flawed 2FA system and selling it to consumers as "more secure" ought to be held liable when it fails. And the sooner SMS 2FA dies, the sooner the same old websites that implement SMS 2FA and nothing else will be forced to implement something that's actually secure.

Unfortunately, there are already laws that demand sms auth, e.g. online gambling in some US states (new jersey, being one).

The persevere practice has been established as 'strong login'.

This is what I thought about the 23andMe debacle. They may should have done better, but any attempt to "punish" them really feels like ex post facto law. Make new regulation or something and punish future incidents, but not this one.
And blame the carriers.
Carriers can certainly carry an amount of blame. IIRC in Aus its gotten harder to activate a new sim for these reasons. The attacks haven't stopped entirely but its gotten more rare. It now relies on a very persistent social engineering attack to pull off.

That said number portability is a really deep well. And theres utility in keeping it somewhat liquid for the many many many people it benefits rather than making it terrible for everyone to prevent a number of attacks.

why email is not the standard? i'm forced to have a cellphone if i want to use the bank, basically
Because phone numbers serve as an effective way to screen for bots. Also, they are unique and people don’t change them, so useful for tracking people.
but when they have to change them (i.e. moving to a new country), or they got stolen, it's pure pain. it's not a good system.
For sure, there should at least be an option for TOTP backup, but the powers that be know they would rather inconvenience a small percentage in exchange for the benefits.
> Because phone numbers serve as an effective way to screen for bots.

only because we allow telco rent-seeking on phone numbers.

Why are you forced to have a cellphone? You're free to visit the branch anytime you like.
> [Customers] appreciate that [SMS reset is] more convenient than resets via email.

Anecdotally, I'm annoyed every time I have to log into a Google account using phone verification, because I have to stand up from my desk and find my phone (which sometimes is in a different room) in order to receive the call/message with the code.

TOTP is much more convenient in comparison. I don't have to stand up from my desk, because I store the codes in KeePassXC.

A lot of companies still mess up passkeys, Allowing them only as a 1:1, using one terminates the session of another, or in some cases invalidates the previous passkey entirely.

Its implementations specific I'm sure, hwoever its not as straight forward as one would hope.

Also a favorite: "Your browser does not support Passkeys".

It sure does, which these horrible sites could easily verify by invoking the single line of JavaScript [1] to learn as much, instead of assuming "Firefox -> must be unsupported". Absolutely infuriating.

[1] https://gist.github.com/miguelmota/ad833d2e6f024a7189f803664...

Extra security is welcome, but I'm simultaneously terrified that I'll somehow get locked out of my Apple ID or main Gmail account.

Everything I read about Passkeys says this scenario is 100% impossible, as it's based on biometrics and no longer using a text string that can get lost, but I'm still nervous AF. I've had to do the "reset a password that's behind 2FA" dance before and it makes me want to crawl in a hole and die - super duper scary.

Somebody tell me to chill out.

(comment deleted)
Hard pass. What if I lose all my devices? (Except a fireproof offsite box with a piece of paper containing most of my passwords in it.)

More realistically, what if Google decides to disable my account, and holds my passkey database hostage (which they can, by design)?

Note I said “each of your devices.” Even if Google locks you out, they are all still on at least one of your devices (if not more).

My passkeys are shared with family members in iCloud (where they are synced to) for bus factor. I don’t recommend using Google for any consumer services if you can avoid it, especially syncing your password/passkey database, as there is zero support if something goes wrong.

There are stories of Apple locking users out of their iCloud accounts.
And all of your passkeys should still be on each device in such a case. It’s sync, not a singular vault.
If you still have access to them, yes. Problem is if you don't. And we need to be mindful that it's easy for us to say these things being very digitally native, while there's a huge part of the population that isn't so digitally aware and relies on companies like Apple to "make everything work".
I don’t disagree. It’s why the FTC and other federal regulatory agencies should require some sort of identity bootstrap process if you lose all of your digital identity credentials.

I’ve submitted comments to this effect to the FTC, and I’d encourage others to as well. Email (where all roads currently lead) should not be your identity in the 21st century, and losing a device or Big Tech account shouldn’t permanently banish you from digital account access.

Some relevant comments I've written on the topic in this thread: https://news.ycombinator.com/item?id=38691082 | https://news.ycombinator.com/item?id=38691156

Can you provide source? I've never seen Apple locking someone out of their account à la Google, only rare dumb user errors in the system clearly designed to effectively prevent them.
Sure, here's a first search result for the query 'locked out of Apple account': https://www.businessinsider.com/apple-not-helpful-woman-lock...
This is theft. And it was possible because the thief had her password (by spying on her.) It is known that thiefs do this, changing the password and account details very quickly to lock someone out of their account. Apple recently introduced protections against this, called Stolen Device Protection, which users can enable in Settings.
You can click the "try another way" link, which will allow you to use a TOTP code (which they call the "Get a verification code from the Google Authenticator app" option even if you've never used Authenticator).
I don’t have experience with TOTP on this, but I’ve seen that the “try another way” doesn’t even work with a recovery email address and a code sent to it. Google seems to make it almost impossible to login if you move away from your “home” location, unless perhaps you use its apps and are already logged in.
In the Apple ecosystem, the SMS syncs to your Mac, Safari detects the code and autofills it in the web page, and then it auto-deletes the SMS when you're done for you. It couldn't be more seamless.
Which, ironically, requires you to forever "opt-in" to 2FA on your Apple ID.
> What is a SIM-swap attack? It’s where a bad guy asks a carrier to port your cell-phone number to their phone.

How do they get away with this in practice? Can't the carrier phone the number for the SIM or txt to attempt to confirm the owner? Or send you an email or postal letter with a code? Or make you go to the store to show ID?

And if you claim to have no access to the above, send a txt/email/letter alert that you have 5 days to reply to before the switch happens?

Do any carriers advertise themselves as having strong security against SIM-swap attacks as a unique selling point?

Exactly, it wouldn’t be hard for the mobile providers to require sms confirmation and/or written authorisation before a number is ported out.

I don’t know if it’s government law or phone company laziness getting in the way of SIM security, but giving up on SIM security seems nonsensical and silly. Fix SIM porting security.

They could and it could be similar to emergency / fallback access in password managers. Send an SMS to the number (aka current SIM) before approving changes and force the person requesting the change to wait for X hours or days if there's no response to the SMS asking for authorization.

That's what the providers around me do, but I think it's because one of them got sued a while back and we only have about 3 providers pretending to be 10 different companies (aka fake competition).

Yep, I never understood that either.... you have to confirm your old number before you can transfer it to a new telco, so sim swaps are not really a thing.

But it's primarily a US problem, and they have a lot of ID problems, like using their SSN as "passwords", and other stuff that would be impossible anywhere else (like illegal immigrants getting jobs at large companies and enrolling their kids in schools without anyone verifying who they are).

Step 1: Confirm victim is out of cell range.

Step 2: Sob story about how you lost your cell phone.

Step 3: Fake ID / Social engineering.

The five day wait would work well, though it doesn't protect against "I stole the phone and I yanked the SIM or looked at the push notification" attacks.

The problem is that average sms security is higher than email, but email CAN be much more secure. So for mass market accounts sms makes a good login confirmation and improves security.

But if you've bothered to have somewhat secure email it sure would be nice to use that instead, and not worry about the 50,000 retail and support staff at telcos who can grab your sms account based on a convincing phone call.

So, please, I beg of you login developers, offer email wherever you use sms now.

(comment deleted)
I understand it’s a naive statement, but in order to log in into your email you would end up relying on some other sort of 2FA. And we’re back to square one to relying on SMS, because UX of other authentication flows has irrecoverable flaws.
Exactly. You could use a trustworthy mail provider with a domain you own (registrar and DNS provider in two other accounts, probably), and then a second mail account for the 2FA for the other three accounts, but then what's the 2FA for the second email account?
As usual, this conversation seems to be one side pointing out how god awful SMS is for security, usability, etc, and the other side going "but how else can we accommodate helpless users". (edit: sorry missed an important negation wording mistake)

Like sure, if I could, I'd make SMS disappear, but really, I'd settle for just punishing those companies so lazy they can't roll out any non-SMS support.

(comment deleted)
"Companies should not let account recovery happen over SMS, they should just let the accounts be completely and irrevocably lost."

The position of the post is just rigid absolutism that has no chance of surviving the real world, and it's not at all clear that the author actually has any expertise in the subject.

It should be completely obvious that password + SMS 2FA is better than just a password. And while the industry has been trying hard to get people to move away from SMS 2FA (yes, the industry would actually like that, despite the author's conspiracy theories), it is slow going. TOTP has horrible ergonomics and doesn't permit passing side-channel information about what exactly is being authorized. Emails get caught in spam filters. Push-notification style app authentication is secure, but a lot of people will refuse to install your app unless you're like their bank.

Yes, SMS isn't the best form of 2FA for a bunch of reasons. Sim-swaps honestly aren't one of those reasons. But they are the form that you can actually get people to use, and succeed in using.

Ah, but what about single-factor SMS, you say (unlike the author, who doesn't seem to understand the difference). Again, consider the alternatives. If you don't allow for account recovery over SMS, what is your account recovery story? Human customer service will just be socially engineered as easily as the mobile operator was. TOTP seeds, recovery codes, etc can be irrecoverably lost. Phones with authentication apps can be stolen and fail to be bootrapped again. Email accounts or IDP accounts can be lost to hijackers, and are also frequently lost when people change jobs, graduate, etc. Security questions can be stolen and brute-forced.

SMS has a unique property that makes it invaluable as a recovery factor: it's a globally accessible communications channel that can be bootstrapped from just your real-world identity even if lost.

That said, allowing SMS for account recovery does carry some security risks. They can be managed or mitigated by e.g. require a cooling down period, during which the account owner is notified about the recovery attempt and can cancel it. But like everything in this space, those mitigations are also tradeoffs. Which tradeoffs are the right ones depends a lot on what the account is for, there's no one-size fits all.

I'm so frustrated reading these comments because I assume this is the logic used at these companies that make my life a daily pain in the ass.

My email is more secure than my phone. This is shown to be evident on a monthly or bimonthly basis, despite insistence from sms proponents that it's the only feasible oh and also secure way. Bollocks.

Every single time, it basically boils down to the truth - SMS auth is circumvental, recoverable, whatever you want to call it. And there's ample evidence of that being used for account takeovers.

I honestly don't understand how this remains a discussion.

Great, go ahead use your email address rather than a phone number then!

If the author's point had been that there should be a non-SMS option, I would not have commented. But that wasn't their point. They thought it should be removed as an option from everyone. It's just an amateurish idea, completely ignoring the real world and the tradeoffs.

It also sucks if you lose your phone number.

I haven't been able to log into my primary Google account for many years because while I have the username, the password and the recovery email address (and all the emails are forwarded to me), I no longer have the phone number associated with the account, so clearly I'm trying to break in.

Or if you’re just traveling. I’ve been logged out of accounts while abroad and with no access to SNS.
Or refuse to give them a phone number. I lost access to two accounts where they now demand it.

Even have the audacity to send me an email with “someone tried to log in with your username and password!” Yeah, that was me clowns. :-p

I'm in a similar situation with LinkedIn.

Out of nowhere, they locked me out of my account, then they asked for my phone number, and I had to put in a code received through SMS. But that was not enough, because then they asked for a national ID card (the gall!). Of course I did not send it.

However, I kept trying to log in with the password and SMS code for a couple of days hoping that the ID requirement faded away, and now they say that I "have reached the maximum number of attempts. Please try again at a later date.". Well, duh.

So, now I have a ghost LinkedIn account with my face and my data that I can't even delete.

I'm seriously thinking about asking a bunch of people to mass report my account for racial hate speech or something so that at least it gets deleted.

Well, keep in mind almost nothing is deleted any longer. Only a deleted_at column is populated in the database, which prevents it from being listed by default. But data is not deleted, and those accusations might last forever as well.

This is where being an EU resident would be handy.

Yeah, it sure would be nice if the same nations that deeply/fundamentally benefit from being epicentres of cutting-edge technology would actually do something to protect the rights of people who are reliant on and are affected by said technology.
It's gotten so bad that it's now a regular paid service that I see offered for people to use bots to mass report your old accounts for a fee to get them removed and delisted for you. "100% guaranteed ban and delist. 1hr turn-around time!"

Of course, using it as a weapon against your competitors is the unsaid reason for these operations...

none of my google accounts even have phone numbers, and I've never been asked for one...
Yeah, that's what's especially insidious about it. Until you attract the eye of Sauron by somehow setting off whatever unknown security trigger (which btw will never ever be disclosed to you), you'll never notice just how quickly everything can be taken away without any recourse. Everything seems just fine, doesn't it? Until it isn't.
They say for security purposes they need my phone number (that I've never given them before) to verify I'm me. I've seen this on first login on a new account. I guess they think I'm pretty stupid and I'll believe that.

Facebook once balked and demanded my driver's license scan to keep using the account for security purposes or no more login for you. I called their bluff and abandoned the account. A few months later I tried again and suddenly the driver's license wasn't needed anymore. Then I stopped using it for YEARS until they sent me a single email with a link, which LOGGED ME IN to the dormant account without asking for a password on a new PC that had never used facebook before. I actually don't even remember the password at this point but it is still logged in!

(comment deleted)
Once I was in a situation where I could either have wired ethernet or cell service, but not both (it was a 30 minute drive to cell service). There was no way to log into my Google account because it decided my laptop was suspicious (due to the strange IP address, probably).

When I got back to civilization, I turned off Google 2FA, and will never turn it back on, at least for personal accounts. I would rather drop my usage of their services than deal with their account login bullshit.

Google is really atrocious in this respect. It won’t even use recovery email addresses properly. The only solution is to move back to an IP address range that seems like your original “home” location and pray that it works. I have some choice words for whoever in Google thought not allowing account access or recovery is a good thing.
I swear this is a bug, the recovery email is supposed to remove the need for sms auth. But google have no help desk or ability to report bugs.

Shame on you google.

The problem I have with Google's authentication flow (and also Microsoft's) is that there's no right way to use it. They both make unpredictable demands at unpredictable times, so you can't rely on being able to authenticate when you need to.

Randomly losing account availability like this is completely unacceptable for critical services like the ones they provide.

I've spent hours on the phone to many Google internal numbers that I can find trying to get someone to help me.

I think my best action is to use one of the sim-swap services myself to intercept the SMS to the guy who owns the number now.

In my case, nobody owned the number so our phone provider gave it to us, you can also ask the current owner if they could help, though alarm bells may go off in their head
I've tried texting them and no response and they hang up if I call :p
A bunch of people like to say it is fine they use the phone number because you can use your other methods as a backup if you use it. Yet I've read plenty of stories like this about google demanding everything they have on you.
EU is supposed to get a unified digital identity wallet. There’s already a qualified digital signature. My country’s ID has a chip with public key cryptography. Just let me permanently tie my Google account to my national identity and then the problem will solved (at least for EU residents). I’ll be able to just use one just YubiKey without stress of losing it and I’ll be able to get my account back if someone steals it.
> I’ll be able to just use one just YubiKey without stress of losing it

How does the "without stress of losing it" part work?

what, no blame for the stupid mobile providers who let themselves get social-engineered?
There was a big issue with Payoneer's SMSs in Argentina under Movistar. I tried to rise the issue here in HN but got unnoticed.

There is an insightful tweet [1] in Spanish that is translated as follows:

""" Well guys, the payoneer mystery is solved.

#PayoneerHacked

- The attacker compromised the gatway SMS used to send the 2fa to Movistar customers (the platforms use this to sneak the cost) - The attacker saw 2fa messages passing from Payonerr to a Movistar phone number but had the problem of not knowing the email of the Payoneer user to change the password and make the transactions. - The attacker, to discover what email was behind each phone, set up a phishing site to try to take ONLY THE EMAIL from there and with the email + the phone + the 2fa that accessed the compromised SMS gateway in real time, he was able to change the password, access the account and send money since I kept reading the 2fa that arrived on the Movistar phones. - That's why the victims saw several real SMS with 2fa coming during the night that emptied their account. - Even if Payoneer customers had fallen for phishing, they would only have had one 2fa stolen, and not all that is needed to log in, add an account and transfer. This need makes it evident that the commitment to the SMS gateway existed.

- The victims of this scam lost their money because the last mile of the security stack was compromised.

Be careful, because Facebook, Twitter and others share the same gateways to save money on SMS.

Here I leave a screenshot of the SMS that arrived during the early hours of the morning to a victim and that the victim was never able to share in any phishing and that were necessary to empty them.

(whatever you read in the media... fruit, lots of salad and little sauce. here's the post)

Thanks to everyone who cooperated. """

[1] https://twitter.com/julitolopez/status/1748440685743587811

the crazy part is that Payoneer would let you reset the account password just with the reset code sent by SMS, no need to prove ownership of the email address.
It baffles me that we all services haven't defaulted to something like Google Authenticator or similar. Users should be given a choice.
That’s what I have been saying for years every time I have an opportunity, last one few days ago https://news.ycombinator.com/item?id=39247480

But it won’t happen, that phone number is NEEDED to be tied to your identity for a lot of reasons, that’s why banks (where most people have their real identity) are still requiring a phone number.

I absolutely hate SMS verification. Email providers want sms verification, my corporate Microsoft account wants SMS verification to login on PCs and then it also wants Microsoft Authenticator verification ! What it really wants is me to “stay logged in” all the damn time. On my Mac, outlook needs to relogin to Gmail in safari every damn time I clear safaris cache. What the god damn well hell. What if I changed my phone number? I’d lose access to almost everything… wait is that the point ? CIA ? NSA ? KYC ? Cmon ! The internet used to be fun, but now it’s just a hassle
Before this new wave of SMS trash, we just had TOTP codes that 1password could auto fill for me on any device in any location. Now i need to pull out my phone constantly and pay for international roaming or setup SMS forwarding to travel even if I don't need the number. Yay security!

If the argument is that phone number can always be recovered from real world identity, link the damn authenticator app to SMS instead of having to hand out your phone number to every company in the world.

The problem is that your authenticator app doesn't give them access to a relatively stable, cross-site/app/etc identifier that they can sell for advertising peanuts.
Require a phone number for account creation and support TOTP. Win-win.
It’s a loss from the business’ perspective. They could support 2FA with SMS and check a box; to additionally support it with TOTP would only be additional cost -- albeit with the bonus of “doing it right”. Unfortunately, that’s an abstraction which a lot of businesses consider to be achieved when they can check the box.
Also average Muppet consumer can't manage it
Not true. If we make Yubi keys cheap enough (below $5) then everyone would want them. Everyone is already carrying around keys, they won’t mind 1 more key. Why can’t we make yubi keys cheaper?
Pocket space is finite. There's no way I'm carrying a yubikey unless I can jam it in my laptop USB port (defeating the purpose of it) and forget about it.
That wouldn't defeat the purpose of it.
A Yubikey used in that way is still more efficient and secure than every other option.

Someone would need to physically take your laptop, unlock it, and get your account passwords before they could use your yubikey to login to accounts.

Then why not just store the encrypted credential on the device itself?

Would that be what passkeys would be?

Theft: A $2000 laptop is an easy target for anyone with sticky fingers, and so is a $1000 smartphone. A Yubikey has essentially zero resale value, so you will not lose them due to random theft.

Durability: If you drop your smartphone, there's a pretty good chance you'll shatter the screen and buy a new one. You can play tennis with a Yubikey and it'll be fine. You can run it through the washing machine and it'll be fine.

Longevity: Laptops and smartphones generally only have a 3-5 year lifespan due to battery degradation, and many people will want to swap it for one with more storage or whatever anyways. A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites.

Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them. Individually enrolling each device would be a nightmare, and having the credentials sync is a bad idea from a security perspective.

Security: If your device gets compromised, it's pretty much game over: the attacker can now log in to all your accounts, any time they want. With a Yubikey I have to physically insert it and tap the button for each login - which is relatively rare because active sessions don't tend to expire. This means I would have to actively participate in a mass compromise of my accounts, making it way more likely to be noticed.

Passkeys is like embedded Yubikeys, or, Yubikeys are like external passkeys.

The point of passkeys that the key is kept inside a separate secure computer running secure blobs, so user codes can't touch it. That sounds sketchy but contactless payments using similar embedded secure computer has been fine so this should be too.

A couple of other people answered you already in a lot of detail, so I don’t have much to add there.

But I do recognize that really is a legitimate question and it feels like Yubi would benefit from running more outreach / promotion programs with schools and companies. I never felt like I could justify spending $50 just to try it out(especially when it doesn’t have support in a lot of sites), but then they partnered with Cloudflare to sell up to 5 per person at $10 each. It was a no-brainer to try it at that price and I haven’t looked back

No freaking way. I don't use YubiKeys not because they are expensive, but they are less convenient than other options.
No I promise you they won't "want one".

RSA keypads were an example. Absolutely free. Hung on keychains. Work well in that it was "secure" and worked, but an absolute nightmare for the banks to manage. UX was equally terrible (sure Yubikey isn't that).

The only way to mass introduce it is require multiple key entites to push and collaborate like your bank + phone provider to push it out for free.

Yubi keys are a logistical nightmare for my parents. SMS is not. For my parents, sticking to something in the phone is good.

I have and use yubi keys; they are annoying to set up and use compared to sms. No one will want that outside a few geeks.
It has nothing to do with cost.

Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.

Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.

If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.

I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.

There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably).

My email address is firstname.midddlename@<wellknownemailprovder>.com

I get a dozen emails a week from companies and government agencies trying to reach people with the same first + middle name combination from around the world. People seem to think they automatically get an email address with their name provisioned or something and they just sign up for accounts and services using that combo.

Truly bizarre how many large companies do not verify email addresses before setting up accounts.
It's absolutely a problem with cost, though a little bit with UX. If YubiKeys cost $5, it would be reasonable to have 3 of them, and you keep on your keychain, one at home, and one somewhere else. The UX problem is that you would want a way to enroll a YubiKey that you don't physically possess, but that is a solvable problem.

The bigger problem is that a large number of sites don't implement MFA properly, and don't allow you to enroll multiple MFA devices. This really could only be fixed with regulation that clearly defined MFA, so there would be consequences for improperly implementing it.

I promise you there is a significant percentage of people that would fumble enrollment; you handwaved away a giant problem (multiple enrollment, not present); and many people would put them all on the same keychain.

In the politest way possible, I question whether you've interacted with the modal user.

edit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. Lots of people were logging into facebook by searching facebook, instead of typing facebook.com, then following the top result. Some other site briefly was the top result when searching for google. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. I think it was pinterest, but I may not remember correctly. Either way, it looked nothing like facebook and didn't use blue.

That's what a significant fraction of internet users are like.

$5 is cheap where? Most internet companies are global and have little desire to cut off customers in developing countries, since that's a major area of growth.

$5 in the US is roughly equivalent to $20 in my country, when you adjust for purchasing power parity. We have over 70 million people who use Facebook and Youtube daily.

If rich Americans won't pay $20 for a Yubi key (and they are currently $25) why should we be expected to?

And when a bunch of your users can’t get in to their accounts because they lost their yubikeys?
Also an identifier that is much harder to create bots/spam with, as phone numbers are harder to come by than email addresses.
(comment deleted)
Almost counterintuitively I deal with more spam SMS than I do email but that’s probably less a factor of actual volume and more a factor of the need and sophistication of filters for both services.
It’s likely also a function of the market / location / network incentives.

May own anecdote is that I almost never receive spam sms despite having nothing in place beyond whatever my service provider does.

Spam mails make it through two+ layers of filters (service provider + my own) more often than I get spam SMS, and I have to trawl the wasteland that is the spam box once in a while to ensure important mails have not been missclassified.

That's why my banks use their own apps as 2FA factors.
The own 2FA apps of my banks inevitably stop working at some point. They shut down immediately after launching them. Alternatively they stop reacting on tapping the "confirm" button. If I leave them unattended for few months, I'm almost certain they'll not work on next use.
I've added a recurring event on my calendar to check login-ability to several apps with which I've had this kind of experience in the past. At least once per month.
Before this new wave of SMS trash, we just had TOTP codes

SMS 2FA predates cell phones. First SMS 2FA was AT&T in 1996 using pagers.

The first draft of the RFC for TOTP was written in 2008. Google Authenticator came out in 2010.

And TOTP predates “this new wave of SMS trash”, when every service actually started using it.
(comment deleted)
Eh, that’s a bit pedantic.

I knew someone who worked for a bank in the late 80’s - early 90’s, and I distinctly remember them having a little keychain dongle that generated one-time codes every (30? 60?) seconds for secure remote login.

The product may have been an RSA SecurID, or something else. Branding aside, it’s the same concept as modern TOTP. The main novelty of the TOTP RFC was standardizing the setup / secret sharing process and algo.

>Now i need to pull out my phone constantly and pay for international roaming

Weird, all the carriers I used either have free international roaming (at least for receiving text), or have wifi calling which allows me to use my phone as if I'm on the home network anywhere with an internet connection.

I am occasionally out of the country for more than a month... I usually pause my phone plan because I don't want to pay for a service I am not using. Sometimes I even get a different number when I return and restart my plan. That is why I use Google Voice, because I can use it over wifi or a data only plan, and the number doesn't change. But now, some stupid companies are blocking Google Voice from being used.
Mine doesn't!

And though the one I used before did, I usually have a cheaper local SIM in my phone for data use when I'm traveling, and I'm not swapping SIMs just to authenticate to some company that hates its customers.

Thank you for your anecdote. However your personal experience doesn't reflect everyone.

Many people don't have free international roaming, in fact mine only has roaming for US (I'm in Canada) and for zero roaming options available outside of North America.

Outside North America, receiving text messages is always free.

Receiving calls isn't necessarily free when roaming.

As a European, the idea of paying to receive a call or text is alien to me, but I understand it happens in the USA.

I'm pretty sure it's illegal for an EU network to charge for receiving a standard SMS or MMS - even while roaming.

I can therefore receive an SMS OTP in any country and won't pay a penny.

Actually it happens. I live in Sweden and I travel to Brazil to visit family. If I get a SMS on my Swedish number, I get charged the equivalent of a 1-minute phone call. The reason is that the Brazilian telecom I'm roaming in sees a foreign number from Europe as a perfect opportunity to get some easy money, and charges my provider, which passes on to me.

Note that the law in Brazil forbid telecoms from charging to receive phone calls or messages, even when roaming. But I guess the regulations don't extend to foreign users that are on international roaming, or companies do it anyway counting that the person will only find out after returning home and won't know how to fight it. Authorities are not set up as well to receive complaints from non-residents.

I use my Google Voice number for everything because I can't trust I will have the same number if I change carriers (I have found the porting numbers between MVNOs can be hit and miss) and because I sometimes travel internationaly. Now, stupid companies are demanding a phone number, and blocking Google Voice from being used...
Don't worry, soon Google Voice will be abandoned by tehGoog.

(Perhaps this is just dread since I use it for the same purpose)

I understand the feeling! I would love to find an alternative, but I haven't yet. I only use Google Voice for services that demand it, and I try to find alternative services when possible. I never use SMS auth for anything truly critical.
Google Voice (the free service) has its own pitfalls, which I believe make it a very poor choice to use for online accounts. I’m speaking from personal experience. If you happen to not use it for a little while, Google Voice will send an email with minimal notice (with Murphy’s Law, this will be during a vacation break) that the number will be deactivated. Once that happens, you cannot reclaim that Google Voice number using the same linked phone number. You have to get a new phone number that has never ever been used with Google Voice and then try to link it. Even then, Google Voice will send the OTP and make it seem as if the linking worked but will show as unlinked (and the Google Voice number unavailable) after just a minute or two. You’ll have to retry with another number over and over again until you start banging your head against the wall. After maybe a few weeks or several weeks, that Google Voice number will not even show up for reclamation.

Google Voice is a total mess, and as a “free” consumer service that Google has shown little interest in maintaining and supporting, you don’t get any kind of support or help whatsoever.

My sincere advice (if you’re a free Voice user) would be to delink your Google Voice number from all critical services. Get a real phone number for which you have the ability to get customer support.

Yes, I am aware of these pitfalls. I only use SMS based auth for things that demand it, and if it is a thing that is truly critical, I find an alternative that doesn't demand it. At the very least, I ensure that I have a way of physically showing up and getting my account recovered in a worst case scenario.

Google Voice is probably my favorite Google service... I have looked at alternatives many times in the past and have never found anything that compares that isn't super expensive (and usually not as good). I really hope Google keeps it. But I am prepared to migrate if Google shuts it down (and I really hope they provide a seamless number porting experience if they ever do...).

> I use my Google Voice number for everything because I can't trust I will have the same number

You can trust google they will let you use forever and won't block your account anytime without warning though.

I only use SMS based auth for services that demand it, and I find alternative services if they are really critical. All though lately, more services are forcing it without any advanced warning...
Trusting Google for anything is a lot riskier than trusting a carrier once in many years.

Their own internal teams as well as game studios didn't know about Stadia's end until the day it happened, what makes you think they'll treat you better with an unpaid service?

Amusingly I believe Google voice needs a valid phone number to sign up for Google voice.
They may re quire a phone number now... but I am not so much worried about using my temporary carrier number to sign up, because Google doesn't force me to login with SMS (I now use Google's Passkey support, with two passkeys- my phone, and my Bitwarden account).
In India your Sim card stops working if you do not recharge ebery month and after 2nd month, the number gets blocked, after 90 days the number gets canceled and recycled.

The going argument is, WhatsApp if your number gets unused for 90 days doesn't let you reset password or something so its all fine.

Then its a matter of submitting a written application with the bank to change your mobile number so its all fine

I recharge my airtel with Rs 1700 something, which gives me a 365 days validity, without need of any additional recharge (plus some GB data everyday).
that is.......... a lot to spend in one go
If you can afford a phone, you can afford 1700 for a year. If not, EMIs are a thing.
1700 rupees is about $20, nothing.
Thats what $20 a year, thats nothing.
A few countries in the area have such a short length unfortunately. I’m lucky to have my European SIM card that I can top up once every 12 months. And even if they deactivate it after 13 months, I can recover it within the successive 12 months if I remember correctly.
> we just had TOTP codes that 1password could auto fill for me on any device in any location

Doesn’t using your password manager as TOTP code generator reduce the number of factors back to 1?

You could always use a different password manager or different buckets. Both the apps I use (one for TOTP and one for passwords) can do both lol.
In practice the only widespread attack that either TOTP or SMS authentication help with is credential stuffing, and if you use a password manager to use unique passwords on each site you're not susceptible to credential stuffing to begin with.
Both provide some protection against phishing sites, where the phisher needs to maintain their access.
If the attacker is targeting your 1P, then yes.

If the attacker got a list of passwords from a leak and your password was on it, the 2nd factor provided by the TOTP will still save you.

So, it just depends on your threat vectors. I’d rather people I support keep unique passwords alongside TOTP in a manager they’ll actually use than skip or use SMS TOTP because of a vague concern about targeted hacking of their manager.

If you're already using a password manager with secure randomized passwords, you're not vulnerable to credential stuffing unless that specific service had a breach. I suppose TOTP may still protect against unsophisticated phishing, but only as long as the attacker doesn't phish a TOTP code at the same time and pass it straight along to the service.

Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?

>Are there other threats that TOTP-in-password-manager can protect against that the randomized passwords don't already?

tbh the UX problem of 2fa for "I use random passwords and am not vulnerable to credential stuffing" users is a pretty big reason to stick TOTPs in your password manager.

Security is always a series of trade-offs, and 2fa brings some hideous trade-offs in many sites (well over half only allow one at a time, for example, and then you lose access permanently). TOTP with a standard like this lets you choose, rather than the site choosing for you.

> unless that specific service had a breach

Right, and if an attacker can dump password hashes they can likely dump TOTP seeds as well. With that level of database access the attacker may be able to steal all your info from the impacted service, so talking about the password may even be a distraction since all your data is already stolen.

Sites can't rely on password managers and will make TOTP mandatory, cf github.
Yes. A bunch. Service accounts that need to be shared between a limited group of people.

TOTP + something like 1P moves this from happy-monday-an-infra-engineer-left-time-to-rotate-100-accounts to something you can just do periodically as you like.

Some password managers do offer the option of challenge-response from a hardware key, but technically speaking the password manager vault file can be considered "something you have" so long as you store it securely, like your SSH private key.
Yes, it's something you have, but it's not a second factor if you're storing your (randomized) password in the same place. If you do that it's just two redundant checks that you have access to the same single password manager vault.
Well in the context of mobile login so is TOTP, push based microsoft auth and other kind of mobile based shit.

I don't know anyone who buy a second smartphoe to make it sure 2FA is on a separate device.

I'd have to disagree.

The problem is that the vault file can be copied, which means this is now "something you and your attacker have". Even worse, it's not just the (probably encrypted) vault file: if your computer ever gets compromised, it is trivial to wait until you unlock the vault, at which point they can extract the now-plaintext TOTP secrets.

The way I understand it, the "something you have" factor is something which is intrinsically only a single item: either you have it, or you do not. If it can be copied, one of the copies could be compromised without you noticing - and because it's a copy you wouldn't even be able to revoke it without changing your own token too.

> if your computer ever gets compromised

If that happens, nothing will save you. The malware can just grab your session tokens whenever you log in, then do whatever it pleases.

Wouldn't you still need the password database, plus the password or whatever used to open that database? The two factors are related though (a good keylogger should be able to get both).
Multi-factor isn't an end to itself, one strong factor is fine for most things. If your pw manager is good enough to not get tricked by phising, that's already better than most manually used MFA.
Inuse a simple APK which makes http post request on very incoming SMS.

That post request is processed by my own Google apps Script to send it to my own telegram bot.

When I travel where my phone will not work in that country, my wifi connected devices get OTP right away, in about 5 seconds.

> Before this new wave of SMS trash

My favorite is it's often paired with "passwordless" trash lol.

Why can't I just give my whole fucking credential out in 1 action. What's this nonsense where I have to enter my username, THEN wait for the page to load, THEN click "send verification email" or "send code", then half the time they want to SMS me and have me enter another code lmao.

I use 1password with Fastmail integration to create unique email addresses for each login. This new “sipping from thimbles” approach to authentication breaks that because iOS and/or 1pass don’t recognise it as a login until the password screen, so I’m swapping and searching and copying and pasting just to log in. I viscerally hate that sort of user hostile design of the auth/login.
And don't forget to solve 10-stage captcha before eveey page load!
My favorite is when you try to sign in, but it fails because you didn't answer the captcha on the login screen... because the captcha never loaded.
> What's this nonsense where I have to enter my username, THEN wait for the page to load, THEN click "send verification email"

I can’t speak to all of them, but many sites that require (only) a username first have enterprise SSO integrations.

The enterprise buying the service (understandably) doesn’t want its employees to type in both username and password on a 3rd party site, especially since the SSO process will handle auth after the username is entered.

I know of one site with both username and password on the first page, and has enterprise SSO. Login will automatically fail if you enter anything in the password field when logging in with an SSO-enabled username. But that doesn’t stop copy-pasted credentials from being transmitted to their server, which is something enterprise customers want to avoid

I agree with most of what you say, however:

> [...] pay for international roaming [...]

I don't remember ever having to pay to receive SMS abroad. Is that a common feature with the plans where you live? (I mostly have experience with pre-paid plans from Asia, Australia and Europe.)

Americans screwed up mobile phones since the beginning: they pay on both ends, to receive and to make calls and sms.
I just want an authentication / identity service that lets me select the recovery difficulty (anything from showing my government issued ID or fingerprint verification to actual rapid DNA testing, all for an appropriate fee), along with specifying account beneficiaries in the event of death / incapacitation.

It’s absurd that for ultimate identity, currently services tend to rely on email, google account, or SMS, all of which are some combination of insecure, at risk of banning you on a whim, hard to recover, or prone to spam since they don’t verify real life identity.

For a lot of companies they choose sms for no other reason than it really limits spam and cuts down on fake accounts. People are conditioned to for the most part to be free with their phone number. Making it pretty much the only identifier that cant be easily and without cost or human effort changed(its not too hard and often normal to block voip numbers) Sure you can say well then also require some other form of authentication. these companies are trying to make money and go to a lot of effort to reduce even the slightest friction to new customers. Besides once they have sms and 98% are happy with that why put more work in? The real problem though is what other choice do they have? Yes you and i would put the effort in to both secure and properly manage better systems but when the vast majority would quickly forget or loose any other method. They have to make a system that is "secure" for them anyway, why implement other systems(yes i know you and i think it would be worth it for us but maybe the bean counters dont).

Its completely understandable that the average person THINKS that sms is secure, everyone depends on their phones, uses it for very personal, private and sensitive business calls. even without tech companies using it for auth it would be exploited, just not as much. Unfortunately it would just take an incredible amount of cooperation, expense and growing pains to properly secure the telecom network. They are extremely interconnected legacy systems that are designed with the assumption there is no security besides trust. that being said they could improve things a whole lot more if they were able to verify their customers better on support calls or at least had higher security options you could enroll in. So they didnt put people who cared about security with the ones who cant even keep track of their own account numbers.

Personally without governments coming together to implement a digital "secure" citizen identification system (also very scary) probably the best we can hope for and i think google now allows is after its verified by phone remove it as a authentication and recovery option and setup multiple hardware security keys/passkeys. ya people will still be idiots and use sms even when there are better options but at least some of us can be secure.

This exact topic came up by chance at the lunch table today (I work at Stytch, we do auth).

SMS as a primary (or frankly even as a second factor) is fraught. But as comments in this thread call out, they can be incredibly smooth UX for end users on mobile devices.

And in fact, for some user bases, far and away more ubiquitous than emails. There are many populations that just don't have email to serve as a primary factor, but do have phone numbers.

So it's a nuanced topic. Everyone, both users and developers, need to have eyes wide open to the danger and protect against it.

And let's not forget the telecoms, they need to recognize that the phone number serves as a primary login factor and treat it more carefully. That might mean in person or stronger identification requirements on changes.

Using SMS makes PERFECT SENSE for the online service provider.

The following are very similar but separate goals:

1. proof of account ownership (person attempting action has ownership of account)

2. limiting accounts created by non-legitimate users

SMS is a very effective for (2) because few people are going to have access to 100 different phone numbers. Having a cell phone number also typically involves a personal process that requires things like your address, passport, SSN, etc. There are hoops to jump through for this. Companies rely on SMS because they can outsource the KYC process to cell phone companies. They are not doing this to have the most optimal or secure solution for proof of account ownership.

People who continue to complain about this clearly has never had to make this type of auth decision for a company involved in regulated or financial services.

Your point is completely orthogonal to account takeover. You can require a phone number to create an account and not allow SMS to the number to takeover the account.
Why does the service provider care about account takeover, from a financial perspective?

They can always reset the password on their end, given proof of identity (if the account matters).

>Why does the service provider care about account takeover, from a financial perspective?

Indeed, caring in any way about users of your product or service is merely a liability and a cost center.

I honestly don't want that type of overprotective caring that cares so. much. about you that it restricts you in meaningful ways.
What happens when the owner of the number discontinues the phone service, loses the number and the same number is give to another customer who then tries to register for an account on the same platform? Phone providers may recycle numbers in as short a period as a few months.
> Phone providers may recycle numbers in as short a period as a few months.

Then, I guess, the account on that German home automation online forum was maybe not that important, after all.

Such a strawman. People get locked out of accounts with important stuff for them all the time.

Let's demand more of tech companies who have the means to do proper security , instead of bling user mistakes.

No, I’m not blaming the user. Look at this from the other perspective:

I have an apartment, a vacation home, a chicken coop, a shed with old tools, a car, a bank deposit box.

Do all of those things absolutely require a Post-Blockchain-Ready™ SuperDuperLock 3000© with the patented Forensic Upgrade Crypto Key™ technology?

Not really. Some security vs. accessibility/usability trade-offs need to be made.

Somebody stealing the contents of my bank deposit box? Okay, that would suck.

Somebody breaking into the shed and stealing that old broken Toyota diff lock actuator I *swear* I'm going to fix at some point and maybe a shovel? Please.

This is why I think there might be a security floor for critical applications, but it should be the user's choice if they really want full 2FA+ with smartphones, biometry, and social security number verification for their random account on once-a-month-visited social network for cats.

Just because I understand precisely why companies do it doesn't mean I need to be happy with it, does it?

By the same logic, you could justify companies tracking their users and selling their personal information: It makes money, and making money is an important part of running a business!

Or: "Robocalls with fraudulent caller-IDs make perfect sense for the companies doing them..."
>(2) because few people are going to have access to 100 different phone numbers

There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.

> There's a plethora of sms verification providers where you can pay a trivial amount (eg. 50 cents) per verification, and have tens/hundreds of phone numbers available. This isn't stopping anyone who's mildly determined.

But that's the point: If you're really determined, nothing's gonna stop you.

How much on the freedom vs. restriction scale do you want to get pushed to the right for "security" before it's too much? Or is it okay, because it's not inconvenient to you?