

Ask HN: Text messages as identity verification a bad idea? - ebbv

So this morning I&#x27;m having some fun. Someone tried to gain access to my Gmail account by turning on a feature I didn&#x27;t even know AT&amp;T had; web messaging. AT&amp;T claimed on the phone with me that it can only be enabled via the phone, but I didn&#x27;t enable it and my phone was sitting next to me on my desk, locked. So clearly there&#x27;s a way to enable it through the web.<p>The message I got telling me AT&amp;T web messaging was enabled for my account was shortly followed by a Google verification code. So someone was trying to use that feature to access my Gmail account.<p>Which got me thinking; which is the big mistake? Allowing a way to intercept text messages via the web, or assuming that text messages are a secure means of verifying identity?<p>Text messages as identity verification has become fairly common place, but in light of the fact that they can be intercepted on the web, is that at all a good idea?
======
RollAHardSix
I can only offer anecdotal evidence from my own life.

My credit union previously offered a text message code when registering a new
computer, now they call me directly.

Again it's not much, but I can only imagine they switched it for a reason.

------
tomkinson
It's very secure, if you verify and only send authorization tokens to MINs

------
ig1
You can turn off sms verification and use the Google Authenticator instead.

