
Tell HN: Please Remove SMS as a 2nd Factor - exabrial
Hacker news is a place where a lot of individuals congregate that have influence over major websites and services.<p>SMS &quot;2nd Factor&quot; was well intentioned. The problem with sending people codes over SMS is that SMS is trivial to spoof and intercept. It&#x27;s trivial to port&#x2F;sim swap&#x2F;steal someone&#x27;s phone number, as Jack Dorsey just found out. SMS has no reliable guarantees on latency, duplication, or even transmission.<p>SMS &quot;2nd Factor&quot; is just delegation to another company for authorization, except the communication channel is insecure, unreliable, and malleable.
Discrete FIDO keys, U2F keys built into phones, TOTP apps&#x2F;keys, or even apps that shake the user&#x27;s phone asking if they just logged in are vastly superior.<p>Let&#x27;s put it to bed. I&#x27;d ask the Twilio like sms gateway companies start to discourage the use of their services for 2FA and the companies that rely on it begin phasing it out immediately.<p>Thank you,
======
chupa-chups
So what is your proposed alternative, especially for the non-IT-focused
general public?

~~~
exabrial
I think we need to stop assuming the general public can't handle 2nd factor.

------
HugoHobling
I don't think it's that simple. From Google's research, SMS 2FA is highly
effective against credential stuffing attacks: 100% coverage against automated
bots and 96% against bulk phishing:

[https://security.googleblog.com/2019/05/new-research-how-
eff...](https://security.googleblog.com/2019/05/new-research-how-effective-is-
basic.html)

SMS 2FA can fail, spectacularly, for targeted attacks. TOTP would not solve
this, only U2F/webauthn.

~~~
a3n
<tinhat>But Google wants your phone number for correlation with ... other
stuff, and ... other people. So they _would_ say it's good.</tinhat>

------
iraldir
Yeah also expecting everyone to have a mobile phone is a bit elitist. Mobile
phones aren't a public service and as such should not be required of user. I
stayed in London with no phone number for 4 month after moving in (call it a
social experiment or procrastination, it's probably a bit of both). Life is
hard. The number of services that require a phone number of you, sometime for
no reason, sometime for 2FA is staggering. You have to fight the system so
much.

On top of that, your phone might not have battery, forgotten somewhere, died
etc.

I think a simple password + fingerprinting measures (recognising the user
based on his browser, IP, machine, behaviour etc.) to enable further checks
(2FA with either mail, phone, device, security questions), and further
messages in the future in case the attacker had access to that creates a
better user experience / risk factor.

~~~
2rsf
> elitist

You can have a cheap second hand phone (Nokia 1200 ?) and a pre-paid SIM with
no balance. The setup will cost you something like £10 and the above Nokia
1200 have a standby time of 390 hours or more than two weeks !

------
arkovian
I don't think it's a good idea to remove SMS as 2nd factor.

But I think it's a good idea to encourage users to setup a different 2nd
factor.

SMS as 2nd factor is still more secure than no 2fa at all.

------
bifrost
Yes please! I support this!

------
ian0
Just in case anyone is wondering why so many banks and wallets around the
world continue to rely on SMS OTPs for 2FA. Lets take a look from their
perspective:

\- Any type of hardware device screams cost. Not just the device cost. The
distribution cost, support cost, replacement cost, costs related to the
education of users that can barely find their way around a computer/phone.

\- Requesting the user to install additional 3rd party applications is also
out the window. Compliance, Confusion. Requesting them to go through a process
to set up some key with google also due to the same reasons. At least until it
manages to become part of the sign-up process on android and the number of
older android versions is <5%. And it works on all the flavours of android
(think cheap chinese handsets). And central banks are ok with it.

\- Just using a mobile banking application? Shake the phone to verify? Works
when you are using it to verify an internet banking session. Doesn't when
someone has downloaded a mobile banking app and knows your PIN. This is the
reason why SMS OTPs were introduced on banking apps in the first place. The
second factor wasn't the device itself, it was possession of the SIM.

>> The problem with sending people codes over SMS is that SMS is trivial to
spoof and intercept.

Its not that trivial to spoof an SMS at least through the carriers Ive worked
with. Alphanumeric codes are locked down and banks use these. Ditto with
interception. Not fort knox by any means (any telco engineer can read SMS, as
can prob numerous people in the middle if they really tried), but its
expensive and not very scalable. And yes, there have been examples of fraud.
But note literally hundreds of billions of dollars is secured by 6 digit pins
and SMS OTPs worldwide and the banking system hasn't imploded.

>> It's trivial to port/sim swap/steal someone's phone number

Sort of. It may be trivial to do these things, but it's not that _scalable_.
And thats the reason it banking systems using SMS 2FA dont all fall over due
to fraud. Also in many countries SIM cards are now linked to national IDs,
leading these particular vectors to be less scalable.

>> begin phasing it out immediately.

Finally, id never rely on SMS OTP. I agree completely they need to go. And so
do banks! They spend millions on them each year. They arrive late. They rarely
work when users are abroad. Everyone would be glad to see the back of them.
But its not something possible to just switch off. At best we can push to
support better forms of authentication to enable advanced users to migrate.
While layering in further controls on top of SMS OTPs to minimise the impact
of its insecurity until better forms of authentication are widespread.

PS Im not sure what happened to Dorsey, but if twitter are resetting passwords
via SMS then its probably deserved!

