45 comments

[ 2.0 ms ] story [ 90.6 ms ] thread
This installing work 2fa apps on my personal phone also needs to go. I actually have no idea how to transfer all of these things if I drop my phone and break it. Absolutely crazy that so much is tied up in this terrible idea.
Yes, keeping track of second factors is... definitely not a solved problem.

Relatedly, I have to manually maintain a text file of all of the sites I've used my Yubikeys on so that if I lose one I know where-all I have to rotate to a new one.

I managed to convince a company to give the option of TOTP once I made it clear that they would have to provide me a phone (and pay for its service) if they required one as my contact clearly stated the company was responsible for providing the necessary tools for work, and that TOTP is otherwise completely free.
So the case against SMS 2FA boils down to

“There are two factors, but the second factor is something a determined actor can get around by SIM swapping.”

But there are still two factors and SMS 2FA handles disaster recovery much better than the listed alternatives for most people.

This argument strikes me as kind of like - “a determined actor can get around a deadbolt pretty easily, so the standard for homes should be a vault door and fines if you leave a hide-a-key rock anywhere near your house.”

Author here - yes, I agree that SMS 2FA is much better than nothing, but let's be honest, implementing and using actually secure 2FA is a lot easier than installing a vault door on your home. When the barrier to adoption and inconvenience to the user is so low, there's no reason to not adopt better 2FA methods.
(comment deleted)
>When the barrier to adoption and inconvenience to the user is so low

Is it low though? I'm not sure my parents could figure out how to use an authenticator app.

I've noticed that for sites I visit rarely there will be some sort of drift from the auth app and I'm often forced to use a backup code.

I'd rather just have a whole list of allowable factors and the opportunity to configure one or more of them depending on my personal risk tolerance.

Then your Patents should not be near any account that should reasonably require 2FA. They are perfect prey for scammers.
(comment deleted)
Really though? I get maybe being confused the first time they used it, but you really think they couldn't figure it out?

An authenticator app just has the codes and the sites. SMS has the codes, all the previous codes, all of your other SMSs. Plus the messages come from a 5 digit phone number that has a similar format to the 6-digit code you're supposed to enter. The whole system is byzantine IMO and the authenticator app has a much simpler flow. But, you know, I recognize that not everyone may experience it the same way.

I'm generally curious if people think there's a simplicity to the SMS approach other than just familiarity with something that's awkward.

The real problem IMO is not that it's hard to use an authenticator app, it's that the authenticator app provides an actual secret. There's less of a backdoor, so customers can lock themselves out. The downside of the backdoor is it's a security risk. The upside is that managing private keys is a nightmare and nobody wants to force their customers to actually manage private keys.

Tell that to my retirement-age mother.
One of my coworkers (at a social services agency) was the victim of a sim swap. If it can happen to her it can happen to anyone. They gained access to her bank accounts, all her email, as well as PayPal and Venmo. She ended up switching phone providers.
Yes, and sometimes even locked houses are broken into.
Out of curiosity - do you think that difficulty of installation is what keeps people from installing a vault door on their home?

I imagine even if it were easier, you would see low adoption, because “I’ve never been robbed but I have locked myself out, does this mean I can’t call a locksmith anymore?” Would be top of people’s minds.

> much better than nothing

If you wouldn't advocate banning deadbolt locks just because vault doors are better, why advocate banning SMS 2FA?

One reason to ban 2FA SMS is because end users take on most of the cost of a compromise, but they are generally pretty poweless to prevent others from creating the vulnerability, particularly where the party requiring the SMS 2fa is a government or government contractor.

I don't know that I'd go so far as saying that a ban is the right thing, but something is needed.

SMS disaster recovery becomes 1FA.

If im giving my phone number and a second factor to verify me, I don’t want it repurposed as a single factor backdoor. Too often companies dont advertise that it’s a backdoor into the account, or the feature gets added after they collect the info.

> But there are still two factors

usually not. The problem with SMS 2fa is that once a company can do it is almost always easy to social engineer them into resetting the password based on only being able to pass the SMS 2fa... which is a big problem because SMS 2fa has no security against a moderately committed attacker.

The only way you can protect yourself is to refuse to give online services a phone number.

Tell that big fintech banks in Europe. I think they it boils down that they really do not want to deal with people locking themselves out of their account by losing a normal 2fa totp.
Sure, SMS 2FA isn't great. It may even be bad. But calling for government legislation to make that decision for other people is definitely bad. This is something you ban internally at your company or chose not to use yourself. Calling for government use of force against people who use SMS 2FA is really nasty. That said, maybe I'm missing come implicit context here and he's only taking about banning it for incorporated persons like the Digital Markets Act. That would be okay. But if it applies to human persons that's really bad.

And even if I assume all the premises are true and roll with it, shouldn't password based logins be "banned" first? And we all know that's infeasible.

I'm talking about banning implementation of SMS 2FA server side. Individual users wouldn't be banned from using it, but it would be illegal to provide it as a company (or at least for important sectors like banks).
I am not talking about individual users using corporate services. Individual human people run services on the internet too. Non-incorporated businesses owned by humans should not be subject to this kind of thing. Nor should non-incorporated persons running services that are not businesses.

Only businesses that trade away their human rights for limited liability by incorporating should be covered by such legislation, if anyone.

Banks would be in shambles if someone told them this
I like Fastmail’s position on SMS 2FA: https://www.fastmail.help/hc/en-us/articles/360058752374-Usi...

In short: offer SMS 2FA, and indeed push users reasonably firmly¹ into adding SMS recovery at the least because for almost all users that’s the right balance of convenience and security, but certainly don’t limit it to SMS, offering better methods like U2F and TOTP.

(Disclosure: I was employed by Fastmail for a few years, but these decisions had been made long before I got there.)

—⁂—

¹ When you set up 2FA, it forces you to add a recovery phone number, except that you can skip that by holding down Ctrl or something, undocumented but support will tell you if you complain about having to do it; or, after creation, you can just remove it again. So yeah, “reasonably firmly”.

100%

Banning SMS 2FA is the wrong approach, because it is better than no 2FA and every cell phone supports it, out of the box.

What should be mandated is (a) giving users choice of a non-SMS 2FA method (probably just pick one for a standard, e.g. TOTP) & (b) allowing users to explicitly disable SMS 2FA on their account.

As a least common denominator, SMS is fair. But there should be an option to do better, securely, if a user wishes.

> because it is better than no 2FA

I dispute that position. Almost universally "SMS 2FA" can be used as single factor "recovery" and it is unambiguously less secure than a single simple well selected password.

(comment deleted)
Doesn't a SIM swap attack impact more than just a single user account of a service? They lose access to SMS and calls from their phone. I'd argue they learn that there's a security issue earlier and cause them to take action (contact carrier or authorities).

A friend's Mom's Facebook account was recently hacked. They didn't have 2FA set. Hacker changed her email address in the Meta account. Meta did not notify her via email of the email address change. She did not use fb for a couple of months and had no idea this had happened. Then she began receiving calls from cousins and relatives saying their account was hacked after receiving a link in a message from her.

I would've advised her to use SMS 2FA. A lot of non-technical folks from an older generation don't even bother with email.

No mention of why SMS 2FA is so popular: it's way easier for everyday users and customer support people to handle than the other options.

If you want to advance this argument, explore how customer service would evolve with a different method, or how user experience could be improved with passkeys. It's not a technology problem.

Has there ever been a confirmed case of snooping on cellphone traffic for the SMS with the one time password? I hear this argument a lot but the barrier here seems sufficiently high enough to make all but the most motivated bad actors seek other options. Even if this person is able to orchestrate the SMS capture, they ultimately are obtaining a code that expires in 10 minutes and therefore must be used very quickly before it becomes absolutely useless.
(comment deleted)
What if you lose your phone? With SMS, you can just put a SIM in a new phone and you will have access to your accounts again.
My only other experience with 2FA flows other than SMS are the "Auth" apps that generate passkeys like authy or google authenticator. But more than once, I've updated my phone, or had to reset it, or switched phones, and been locked out of a service. In my experience, there's usually no automated flow to recover from those situations, and I've been forced to resort to opening a support ticket to reset my account password in a way that's usually far more insecure and could be hacked by simple social engineering, and it usually takes a few days to a few weeks to resolve.
This is the most annoying thing about 2FA apps. I once dropped my phone and broke it. It wasn't in a repairable state. Lost access to multiple accounts due to losing 2FA apps. Sometimes, I think security people make them unnecessarily complex just for the sake of it. Not all services need 2FA. And SMS is fine for most of the things.
SMS 2F seems better than most of the alternatives. Auth apps generally suck. Maybe they're more secure in theory but in practice, it's just another vector for me to leak my login.
The author seems to assume that security is (or should be) the only consideration in implementing 2FA. When in practice, practicality and convenience are part of the equation as well. While imperfect, SMS 2FA significantly improves security while also remaining convenient.

Instead of suggesting that we put in place legislation banning it (?!), perhaps the author should come up with an alternative solution that provides improved security with the same or better convenience for end users and the organizations using it.

A lot of people have been working on coming up with such an improved system for a long time now, but haven't succeeded yet. This appears to be an incredibly hard problem.
The author has a few assumptions that I think are incorrect.

Not all accounts need the same level of security or protection. SMS 2FA can be a very reasonable option depending on the accounts. No law can make that kind of a decision in a reasonable way. So the law has to be toothless (if it leaves too much leeway) or it will remove a valid option from people.

The usability and the availability of other 2FA are not on par with SMS. The gap is not trivial as the author makes it sound like. Account recovery problem is a very difficult one to fix cleanly for all types of accounts. SMS is still a useful option.

Sim swap attack is multiple orders of magnitude more difficult than credential stuffing. It's not close to the most important attack vector for majority of people. It certainly is not worth legislating a solution for specifically. There are reasonable practical solutions for people who want protection against SMS as 2fa from sim hijacking - e.g. many cell phone providers support 2fa or pin to protect it from the sim attack in most scenarios. It's a much cheaper solution for the society than banning SMS 2fa.

> adding TOTP support is going to be fairly trivial ... This does require the user to install a TOTP app

You just lost 30% of your customers.

> It isn’t that hard to fix

You're highly underestimating the immense difficulty of convincing the entire human population to do something that engineers consider trivial.

So why is it not easy to go to bank and take someone else's money? What makes phone companies special? This, plus the universal support for spoofing caller-id looks like intentional support of organised crime. How do phone companies get away with it?
Honestly?

Let's ban mobile/proprietary devices and related apps, soft-token included. We have smartcards since decades, we have physical OTP tokens, there is no reasons to allow someone else spying on intrinsically insecure platforms for logins.

The world needs identity verification as a service. By this, I mean it should be possible to go to an office of ID Check inc, show ID and prove who i am. The id vetting company can then give you a number that you can give to a company to prove you are the person you claim to be and have your password reset.

The current system of having access to a SIM card or knowing your mother’s maiden name is ridiculous.

since it is unencrypted and SMS messages are publicly broadcast wirelessly. This means that bad actors who are physically near to you can trivially snoop on 2FA codes that are texted to you.

This is news to me. I worked in the wireless industry and our phones were encrypted and this was in the 90's, albeit GSM encryption which is weak by todays standard and also routing over SS7 which is not encrypted but that is a different set of problems. Are we saying that we have gone backwards and phones are no longer encrypted or is this specific to people using LTE-over-wifi and the people at risk are in a coffee shop? That sounds like a LTE-over-wifi problem that needs to be addressed if so. A mitigating control could be a trivial update to cell phone's to prefer LTE over wifi for text messaging or to disable texting over wifi until the protocols have been fixed to properly accommodate shared wifi. LTE over wifi uses a VPN so I am not sure what is going on here. If this is a real issue then lets address that issue. Either way I do not use shared Wifi. I have more of an issue of text messages being routed through Google by default which is extremely problematic in that it brings both SS7 weaknesses and advertising company vulnerabilities.

Perhaps I am the odd one out here and my reply won't apply to anyone else on HN. I know I am not alone however as many in my community share my beliefs and methodologies. I do not use passkeys and will not as my devices are ephemeral. If anything my dependency on cell phones and data-persisting devices will be diminished sooner than later. I tried out smart phones and I hate them. I am going back to a dumb flip phone. Hardware tokens are also problematic as most companies do not want to spend the money on either the hardware or the support costs to maintain them. For desktops I iPXE or sometimes USB boot a default image and then copy down a few config files. Honestly I just don't log into things over my phone and will not. Nothing is that important and almost everyone I do business with I can either walk into their brick-and-mortor business or I can use a desktop PC with a secure password manager at my leisure. I honestly prefer to walk into a business so that all the employees know me and will know if someone is up to no good. All but one bank account is read-only from the internet and I keep very little in that one account and outgoing ACH transfers are blocked.