Hacker News new | past | comments | ask | show | jobs | submit login
SMS is not 2FA-secure (issms2fasecure.com)
867 points by sergeant3 on Jan 10, 2020 | hide | past | favorite | 371 comments

This is great; it's a Princeton research project from Arvind Narayanan's (@random_walker) group, in which their team made 10 attempts to SIM-swap each of 5 different carriers, including T-Mobile, AT&T, and Verizon (all three of which were, weirdly, less secure in some ways than the 2 MVNOs they tested).

Most notably: AT&T and Verizon both use call logs to authenticate SIM swaps from people who don't know the account PIN; requestors are asked to list recently made outbound calls, or in some cases inbound calls. A targeted attacker can trick a customer into making a known call (or, obviously, can simply call the customer to make inbound call records), and then authenticate with them.

AT&T uses billing statement data as a factor. But the research team was able to "spoof" billing statement data by purchasing prepaid refill cards and applying them to a target's account.

The report also identified a bunch of online services for which SMS was used not just as a second factor but, through account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services. The reality is probably worse than the report highlights, since a lot of account recovery processes are informal and ad-hoc, and can be socially engineered into relying on SMS.

> account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services

But if in those cases you disable SMS auth, then you can't recover your account right? That might be considered worse off in some cases.

What worries me isn’t that I might not be able to recover my account if it uses some other form of authentication, it’s that I might not be able to recover my account because it requires authentication from a phone number I lose access to.

This just happened with my AWS account. Changed phones and forgot to update the number. Didn’t realize it until it was too late. Their recovery process without the phone is incredibly onerous (as it should be) and way too much hassle for me to go through for a small personal account. I just deactivated the credit card that was getting billed and let the account get cancelled. That was a hassle, but not nearly as much as getting back into the account.

And by the time you regain access to the phone number, the account might already be using a different one...

They generally run a cron job on your email to see what are the vulnerable accounts & then decide in order to which one is most important

So how SHOULD this problem be solved? How should account recovery work?

Walk into a store and provide a government ID and the original SIM card. If customer doesn’t have the sim/phone, send a recovery code to the billing address on file in lieu of the SIM card.

> Walk into a store and provide a government ID and the original SIM card.

This is how it works in Poland since September 2019, after some recent SIM-swap attacks. You can swap SIM or get a replacement if stolen only at store showing government ID. It is free of charge with Orange and not always free with T-mobile.

But this has some downsides in real life.

1) I had to walk my 88 yo Mom to the store to swap SIM card.

2) Every clerk at every shop can do that so for a determined criminal it is possible to bribe or threaten one.

3) Virtual operators (MVNOs) usually do not have physical locations and there is a dozen of them.

The problem is that the ID is still checked by the clerk. They could be bribed or tricked by a fake ID.

A recovery code snail-mailed/e-mailed to the account holder when they first open the account is the correct way to go, and if they can't provide it they need to go through a lengthy process where many factors are used to authenticate them (verify their physical address, verify their ID, ask to confirm last call records, billing details, etc).

You can require the clerk to note the document ID to avoid bribery.

How would this work exactly?

The clerk has to use some kind of online system to connect the new sim to the customers phone number. The system would obviously require the clerk to authenticate himself and could require him to enter the passport number or other document ID he checked to verify the customers identity.

If later it turns out this was a sim swapping attack you can verify if the clerk entered a valid document ID. He can’t do that without having been presented a proper document, so you can tell if he checked.

Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it

That’s easy, just make the carrier financially liable for the damages caused by sim swapping attacks.

Ah, thanks.

I wasn't sure how would you solve the problem of verifying the ID card without showing the previously recorded number to the clerk. But simply requiring to every time just punch in the ID (and maybe scan the whole card to check the photo later) could work - if the system only returns a big OK or BAD signal.

Currently here, in Hungary, the clerks just photocopy the IDs though. And there was a big scandal a few years ago (in connection to the ISIL/ISIS attacks in EU) about some groups obtaining hundreds of thousands of SIMs for just a few names.

On your second point, a determined criminal could always deploy rubber-hose cryptanalysis on a 2-factor authentication scheme, but it's still a significant improvement.

Your first drawback is substantial, though.

> criminal could always deploy rubber-hose cryptanalysis

That would be smart criminal with means. I was thinking more of a hood with fat neck passing $20 to clerk assistant to obtain SIM for $5k fraud.

Or like the recent case where it's alleged that carrier employees were actually in on SIM swap scams.


The clerk is looking at ID and comparing with data in the system. If bribed he can always claim that ID looked legit or he made honest mistake.

So easy for evildoers and so much friction for law-abiding customers.

I think most people fail to realize that excellent fake IDs cost like $50. (A tad more in the EU because of the lower drinking age)

If you make the carrier liable for damages in case of fraud, there would be process to mitigate the risk from one bad actor. Like the bank requires a manager approval for certain high risk transactions like international wires.

Too long of a moon shot. Generally the T&C are limited to actual loss, like you lost your internet for 2 days so they'll reimburse you for 2 days of bill but not if you lost a business deal. Similarly in case of airline if you missed your game. they're not responsible for the game tickets

What if you are abroad? My debit card was recently blocked and I had to wait until I went back, walked in the bank and show my face and ID.

Before you go abroad you could notify your bank. Then in period you declared you are abroad they should lower expectation from "in person and ID" to phone call and other means of verification. After that period you are automatically back to normal security.

That is for example how my debit card works. If I want to use it abroad I have to turn that feature on for whatever time I am abroad.

In Europe you have a telephone PIN codes, you have number generators on the app. There are lots of ways to authenticate yourself. IN Europe you no longer need to tell them whether you're abroad or not; I guess the ML algo's that monitor for fraud are so much better than before that this isn't needed.

> IN Europe you no longer need to tell them whether you're abroad or not

The same is true with my major US bank (and probably other banks too).

YMMV. An ING ATM in Romania swallowed my gf's U.S. Santander card a couple months ago. We were told it was because she hadn't set a travel notice.

Losing a bank card isn't as critical as losing a phone # so companies have to act quickly. Think about it - Can you live without your bank card for few days vs living without your #

I'm going abroad all the time and I'm sure this wouldn't work anyway. Last time I was in their office I realized how backwards they are.

So the bad guy can just notify the bank that you are traveling abroad, and then use the easier method to gain access.

I think we just need to be prepared for these sorts of things. Travel with cash, your debit card, and one or two credit cards. If you can afford it, have a backup SIM (Twilio sells SIM cards for about $3 and the cost to keep them activated is $1/mo, and nothing more if you don't use it [0]). Use a Twilio or Google Voice number that you don't use for anything else for 2FA or account recovery for services that require a phone number (some providers reject these numbers, but many will accept them).

[0] Full disclosure: I work at Twilio and built the first version of the wireless product, so I'm a bit biased.

It's about convenience. 99% of the people will take convenience over security. Changing behaviour is difficult

I get that, but if you want to remain reasonably safe from a SIM swap attack, this is what you have to do.

Cool. What store? Do all services that provide accounts need physical stores now? How do you ensure the store endpoints are trustworthy, and actually checking said IDs and SIMs?

I meant for the services currently relying on SMS for account recovery... for example, how should you recover your gmail account if you lose access?

Use backup verification codes and a recovery email address.

Also, remember the date when you created your Google account. The best way to find that date may be to look at the first email you received in the account.

".. a recovery email address"

This just moves your security issues to another account.. how many layers of recovery email address are you willing to go before hitting the end?

What you can do with email is move the problem to your most secure account or to an account that you know how to recover under essentially all circumstances.

As I mentioned before that it's just convenience. SMS based authentication is flawed and is also prone to SS7 Attacks but people just do it because it's simple. Nothing in the world is hack proof

what store for online-only services?

Yes, like my mobile service is provided by a German supermarket chain that has outsourced the operation to somebody else, who run it as a virtual network over somebody else's cell network. The nearest of these supermarkets is hundreds of kilometres away, and the checkout operators are unlikely to be of much help.

Photo ID seems like enough, no?

Problem with a government photo ID, There's no way to verify its authentic besides a visual inspection. I consider them as secure as SMS 2FA. For $200 and someone could get passable ID with your name on it.

That's the key problem that US needs to solve - the businesses don't really have a solid gov't ID system to fall back on. In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.

I mean, in Europe if criminals want to get a bunch of stuff on credit from some place with a disposable identity, they generally recruit poor/homeless people with real IDs, because that is simpler/cheaper/safer than trying to do it with counterfeit IDs.

SMS hijacking, just as the core identity theft issue is so much rare elsewhere - it demonstrates that it's a solvable issue if the USA wanted to solve it. (in some sense the discussion on identity theft reminds me of https://www.theonion.com/no-way-to-prevent-this-says-only-na...) However, the straightforward way to do that would require a proper single centralized (i.e. federal) gov't ID issued to almost all people, which seems to be anathema in USA.

>In most of Europe (UK seems to be more like USA as far as I understand) passing on a counterfeit ID to a mobile shop is harder (and more rare) than paying with counterfeit money, the IDs can be checked, employees are required to verify online if that ID has been reported lost or stolen, etc.

Can you detail which "most" of Europe you are talking about?

In Italy, while obviously you have to produce an ID card, there is no way that it can be checked online by "an employer", only Police (and Carabinieri) can do those checks, and of course ony for Italian issued ID's, moreover in some other businesses besides SIM card selling where the ID is needed (as an example hotels, AirBnB's and similar, car or tools renting, etc.) the actual employee never had a formal, official training to recognize forged ID's so everything is demanded to the single employee common sense and experience/knowledge (often zero or next to zero).

Particularly with "foreign" or "uncommon" pieces of ID's even if Italian (besides the "normal" ID cards and passports there are a number of other documents that have ID value) it is extremely difficult to understand if it is forged.

In UK AFAIK there is no national ID card, so you are limited to passport and/or (if valid for the scope) the driver license.

Plus Italy's national ID is laughably insecure. It's a laminated piece of paper. I remember when I was growing up I had an Italian friend in the UK who went out to a bar for her actual 18th birthday. When they asked for ID, she showed it to them and they kicked us out because they thought it was fake. It was not.

No, it isn't (anymore), not everywhere, but in spots.

For the record - for a period it was laminated, and then it was forbidden to laminate it (as forgeries were somewhat simpler with the laminated one, though I don't know the details).

Old ID card (paper, large, duration - theorical - 5 years, then extended to 10 years, practically indestructible, i.e. they actually lasted the 5 or 10 years):


New ID card (electronic, credit card size, with chip[1], duration - theorical - 10 years, usually illegible after 2 or 3 years in a wallet unless you use a protective cover):


And whether you get the one or the other may depend on the city (comune) as most will use all the empty paper documents they have in storage before starting issuing the new electronic format.

[1] for which noone or nearly noone has a reader BTW, the whole stuff is somehow experimental, even now that we have an app (Android only):



You can get a federal ID. It's called a passport card. It costs $65.

The US also has the REAL ID[0] standard that requires IDs to meet minimum standards in order to be accepted by the federal government.

If carriers just required a REAL ID compliant ID in order to get a new SIM, and actually checked it via the chip or magnetic strip, I think we'd be good.

[0] https://www.dhs.gov/real-id

You can get a federal ID. It's called a passport card. It costs $65.

Which is usually a really crappy idea when you want to save a few bucks compared to a real passport.

They're umpteen stories of heartbreak and hurt, by people not being allowed to board an international flight, or a cruise which stops at destinations not covered by a passport card.

They're also those that thought it's a great idea to get them for their kids.

With the same consequence. A passport card does not allow you to fly internationally. Not even to Mexico or Canada.

Obviously not, it's not a passport. It's a card.

I'm not saying use it for international travel, I'm saying use it as an ID? Literally any American citizen can get an ID card for $65 that is accepted everywhere someone asks you for ID.

If we started taking things a bit more seriously, we could also get that fee down by subsidizing it.

I have a counterpoint from my experience in France.

A few years back I have lost my phone and went to get a new SIM. The attendant in the shop only had a quick look over my ID card. He didn't scan it nor did he enter the ID number in the computer to check anything. I think he only verified that the name was the same as the one on file and the photo looked like me.

The same happens at the post office when you go to collect a parcel / registered mail.

On the other hand, in almost every bar I've been, staff would do a quick check with a pen on every 50 € note they would get, and those notes are fairly common (two cocktails in a random bar in Paris can often cost more than 20 €). I don't know how effective that is in actually detecting counterfeit bills, but there's clearly more effort that what the other clerk did.

The pen contains a chemical that interacts with the paper that's always used to make these bank notes. Specifically it blackens the starch found in wood pulp, and the paper in your laser printer, photocopier, etcetera uses wood pulp because that's cheap. Bank notes use a higher quality paper and so they aren't turned black.

This forces crooks to use more expensive and traceable high quality papers for their counterfeit notes or they'll get rejected in stores and bars.

Having IDs that actually look up to anything at all is a relatively modern idea. When I was born if you suspected a passport in my country of being bogus it'd probably take a bunch of clerks several hours of physically looking through filing cabinets to check.

And where we build systems that can check often people don't. The UK government built a system which lets a driver prove to the government who they are and then get a token value back which they can give to anyone - that token can be exchanged for viewing the government records for that driver. So e.g. hire firms could insist on this token to see you're not disqualified and actually have the entitlements your physical driving license says you have.

They don't. Some of them will let you give them this token reluctantly but all prefer you give them a print out, which obviously you could just fake.

I still think the system is very much gameable. In US atleast it'll take lot of time. We still have to swipe cards and checks are accepted

I'm in retail in the UK at the moment. For doing credit, the main way we use is by drivers license. I plug the details into a form at the till and check the face. It does an online check with the DVLA.

I’m not in the US, but the only ID card without a chip that I can think of here is a European driving license, which is just a plastic credit-card-sized thing that is often used as informal verification eg to collect a parcel.

Not necessarily, all IDs here in Portugal have a chip that can be used to verify its authenticity.

$200 and greater risk of getting caught -- that's still a step forward. Right now it only takes sitting at home spending a few cents to call customer service and social engineering them.

This is not true everywhere. There are Aadhar cards in India where you can confirm your identity with biometrics at any store using government-provided equipment that many stores have.

My DL has a barcode that can be swiped. They already use it at grocery stores to confirm that you are over 21 and that it's a real ID.

Does the bar code act as a key to lookup a record in a central database, or does it just encode "I am 21, trust me" without any cryptographic signature?

Unless it's the former it's as good as a standard paper ID as far as forgeries go. If anything, having it machine-readable decreases security as it means the person inspecting it spends less time looking at it and just scans it in a machine.

I can almost guarantee it's not the latter.

You would lose; the barcodes are just machine-readable packaging of the information already on the licenses: name, DOB, address, etc.

A sim transfer/ account recovery process should come with a transition period of multiple days during which SMSs with warnings are sent to the original sim card.

On top of that, one could think of: A passphrase to authenticate a number transfer to another sim.

Sending a code through physical mail.

I've implemented something like this at Dontport. There are few work arounds but again security isn't something that's on top of traditional carrier because it's a problem with a small set of people

Nice product!


Do you know if something like this exists in europe?

Not yet, but soon we'll launch in Europe too

Apps like Google authenticator, or more conveniently, a Google voice number. The Google voice solution works well since it can't be Sim swapped, and can be accessed via email (admittedly, a potential downside).

Google voice is a US only service.

How do you recover your google voice account if you lose that?

And down the rabbit hole we go...

Long recovery passphrase that you write down and keep in a safe

And if you lose that?

Well first of all using a password manager should be the last resort recovery strategy. Unlike device based 2FA a password manager allows you to make an unlimited number of backups.

After that 2FA should always be device specific. If you want to do 2FA with your phone then the 2FA challenge should not get sent via an identifier like a phone number that may change owners. Instead you should download a 2FA app that generates a private/public key pair where the public key is linked to your account. That way the only thing you need to do is wipe your phone remotely if it gets lost.

A web of trust style arrangement would be interesting, 2/3 of previously named recovery pals would have to verify you.

What about setting up two mobile phone numbers for recipients of the recovery code: 123 sent to phone #1 and 456 sent to phone #2? (Phone #1 is yours and phone #2 is your elected trusted partner’s)

Won’t this work?

Who should single people sign up as #2? Their mom? And what if your SO is currently unavailable?

This is a terrible scheme.

Doesn't have to be SO. It can be a trusted friend who knows in advance that you may voice call them in a password recovery scenario (voice calls not via text).

Edit: regarding the "lack of availability" at the point of wanting to reset the password: the urgency of resetting passwords should be considered a lesser inconvenience than the risk of having lost control of your account through insecure 2FA.

(I am simply supporting my original brain storming thought through ... I am not married to this idea in any way or form. Just a thought.)

Seems straightforward, all these phone companies have endless kiosks and offices. Legislate that a phone number can only be transferred by making a confirmation call to the old phone or in-person with a salesperson who is checking ID.

In Europe, neither of these is viable without a complete overhaul.

- There are online-only providers. E.g. Giffgaff in the UK, Mobile Vikings in Belgium, etc. - Many European countries offer prepaid SIMs that aren't tied to ID. Instead, you can just buy them in the supermarket the same way like you would a gift voucher.

On the contrary, in most European countries, due to anti terror regulations, you now need an ID to buy a SIM card or if you've bought one before this new law came into place you have to send a picture of your ID to the Telecom operator or your sim card gets deactivated.

Not saying I like this or that this is good way forward but it's a reality that contradicts your assumption.

This will do nothing to deter malicious SIM swaps. Someone who's happy to take over your number and then steal your money is also happy to present a fake ID and pretend to be you.

What kind of ID is it? A proper barcoded photo ID that corresponds to a government database? Because with that you can verify that the ID picture matches the one in the government database.

I don't live in Europe, but with Orange, I had to upload a photo of my EU passport (they didn't accept a non-EU passport to extend the lifespan of the SIM card).

Offtopic: those laws seem kind of silly if you can still get a valid SIM for 10 days without any ID. Seems more to be about surveillance than about anti-terrorism.

Assuming that ID gets logged in a database accessible to customer service people, it seems like a database check for IDs and IMEIs would be workable as a way to confirm "sorry, we can't port that number to your new SIM card, the ID card registered to its IMEI doesn't match your old phone number's ID card". You could still do it over the phone, then, since an ID was logged against your sim card when you bought it.

People can be bribed and that's the basic flaw

I wish Apple added iMessage as a service to make 2FA more secure.

I wish banks and suchlike would get with the program and use Google Authenticator or equivalent.

Even if iMessage could be a more secure 1.5FA, it would still be 1.5FA and not true 2FA.

After using TOTP like Google Authenticator since around 2013, I now think the friction needed is just too great. Especially for banks which log you out after 15 minutes or so of idleness. Google doesn't do that.

Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.

I wish everyone would start using Yubikeys. WebAuthn is now widely supported by browsers.

Why not use an open TOTP app like AndOTP. I use it all the time for sites that claim to require Google Authenticator, it works, and its easy to backup the secrets as plain text or encrypted with a password. I keep it current on my primary phone and a cheap offline backup, in addition to backing up the encrypted secrets file.

I use Authy on iPhone and Mac. I am looking for an OSS replacement but would not want to setup everything from scratch after I change device reinstall the app like Google Authenticator.


iPhone backups back up its data correctly—my codes survive new phone restores where they do not with Google Authenticator.

Thanks for sharing this link.

I've wanted to get off Google Authenticator for awhile now, mostly because of the backup-restore problem, also a general trend of limiting my involvement with the company.

Bitwarden does a decent job of storing and syncing TOTP codes. Make sure you always use a long password with Bitwarden though, to avoid a known and unpatched issue with their password-based key derivation.

Oh, didn’t know BitWarden did it. That’s my password manager :)

What issue is that?

People recommend Authy. As far as I can tell they rely on cloud sync/backup like any other app in that space.

Isn’t google authenticator not using this on purpose? Central account and sync is googles thing and yet they deem it too insecure. Completely understandable

So how can using a central service that adds yet another attack vector be of value?

What I would love to have is a paper export. Every time you add a new account to google authenticator you can print it as QR code for later reimport.

Yes many services already provide this for you via recovery codes but having it on a per service basis directly from authenticator is probably much easier to use and not less secure

Any reason this wouldn’t work?

I can't see any, based on my slightly more than superficial dive into this area when working on my own two-factor application.

Don’t put them in google authenticator.


That sounds good but put them in Authy. That lets you have multiple devices whereas Google limits you to one device.

It's great that people use can use one app for both factors but it seems less secure than two apps.

For example, use Authy for TOTP and LastPass for long passwords. That's two things that have to be compromised. And both of them allow you to have multiple devices (for example iPhone and iPad).

Its great functionality but it reduces your security. Say someone somehow figures out your 1Password password and security key - if you store your OTPs in Authy, your passwords are useless (well, less useful anyway). If you store your OTPs in 1Password, they have the keys to the kingdom.

This is technically true, but the most likely scenarios that result in the discovery of your secret key (128bits of entropy) + master password (?? additional bits) involve things like a device compromise. If your machine is compromised, you’re probably already exposed to things like session cookie stealing. At that point your attack surface is already blown wide open.

The biggest thing 2FA protects against is credential stuffing. If you’re using a password manager and have high entropy site-unique passwords, the additional entropy by TOTP is mostly moot anyway.

TBH for me my threat model looks like this:

Passwords - protect against unauthorized access of my service accounts, and 1Password - can be compromised via logging or breaches or just plain peeping

Secret key - acts as 2FA for my 1Password and thus protects my master password from unauthorized use - can be compromised if someone steals the physical paper on which it's stored

TOTP - protect against unauthorized use of my service accounts - can be compromised if someone compromises my mobile phone or phone number. Highly unlikely someone would spend that kind of effort and €€€ on me though

All in all its a pretty nicely tiered system. If someone gets my master password, they still need the secret key. If a burglar steals my secret key, they don't have my master password. If someone somehow compromises both of those, they still don't have access to my TOTPs and thus can't login into any of my 'cricital' accounts (basically e-mail, hosting providers, finance, etc. etc.)

Now imagine you have an malicious spouse or housemate or whatever: they could easily learn your master password by peeping over your shoulder, piecing it together bit by bit (ha). They have a lot of opportunity to search for your secret key as well. If you put your TOTPs on 1Password, you're boned. But if you have them in an authenticator app, even having access to your password manager means jack because they can't login without your TOTPs.

I know one of the big faux pas is to talk about your security but most of this stuff can be deducted pretty easily so I don't feel too exposed.

Wow that’s awesome! I had no idea 1Password had this functionality so thanks for sharing. I just had a rough time after upgrading my phone dealing with Google Authenticator since I hadn’t realized my Auth info would not migrate along with the rest of my data...

Yes that's what I've been doing after being burned by Google Authenticator once. Not to mention I actually prefer the UI design of 1Password.

Isn't that solvable by not requiring 2fa for "registered" devices?

Exactly. You should only have to enter the second factor on a given device once, at least optionally.

What about the device getting compromised?

> Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.

It doesn't offer export in the app UI. It's not doing anything to prevent you from backing up the tokens yourself; they're stored in the clear in the sqlite database for the app.

If that's too much for you, there's a good chance https://github.com/puddly/android-otp-extractor can get them automatically.

Use Authy instead of Google Authenticator. Problem solved. RFC 4226 doesn't specify that you can't have shared devices.

Use Authy. Can be transferred to a new device.

>Not to mention Google Authenticator deliberately prevents these stored tokens to be backed up and transferred to a different device, which makes upgrading devices troublesome.

If that were possible then you would face the same problems that reused SMS numbers suffer from.

AFAIK, in the EU all banks are required to have "strong authentication" which usually means using 2FA via biometric authentication on your phone.

Classic Google Authenticator does not seem much more friction than that.

That is not true. Banks in the EU seem to vary a lot, as the definition of “strong” is not defined (plus many banks have not introduced it yet). Biometric is definitely not required. I use hw tokens but at least one of my banks is trying to move to weaker auth.

I didn't say biometric is required, I said it's normal to have 2fa with friction, an hardware token is just as much friction as TOTP or biometric.

I am surprised your bank is moving to a weaker auth, what does that mean?

I have 3 bank accounts in 2 countries and they all switched to biometric because it's just a simpler experience then the hardware token or "mobile token" they used before.

WebAuthn is definitely the way to go. The security key approach is such a better user experience that the app based approaches.

What absolutely confuses me is.. aren't TOTP authenticators like the cheapest 2FA option to begin with?? No need to have some fancy SMS Enterprise account with a Telecom or pay okta or duo or entrust a bunch of money. It's FREE, all you have to do is implement the server side which is very straightforward.

A cost of implementing TOTP is ID verification at the time the user needs replacement credentials, eg when they lose the phone that had their TOTP secret. With SMS, this cost is offset to the mobile carrier, though as discussed here, carriers have their own vulnerabilities.

A further cost is that they usually require the user to install and set up an app, contrary to SMS.

OTP using an app has a very low adoption rate. You'll be surprised that even on crypto exchange 90% of the users don't have access to any kind of 2FA let alone Apps. Only less than .1% of the users have an app installed. It's not convenient

I wonder how that looks like for bank apps? Banks could (and I’m sure they have) offer their own TOTP client, perhaps a bit more integrated. I’m sure that would be easier and offer a better experience than downing some random. "Google Authenticator" app.

Yes, that works well. My bank has integrated this functionality this functionality into their mobile app, allowing one to use it to login on a computer. When large amounts are to be transferred, the bank-supplied 2FA device is still needed though (which can be annoying, but seems sensible).

This scheme also works really well with payments from your computer. Just use the bank app to scan a qr-code on checkout, verify the payment details on your phone, touch a button, and you're done.

I'd guess that a majority of the bank's clients are using this method. This is in the Netherlands, by the way.

I use Authy for all my accounts and it’s way more convenient than SMS.

> aren't TOTP authenticators like the cheapest 2FA option to begin with??

They are precisely equivalent to asking for two passwords on login instead of one password. "Something you know" and "something else you know". So pretty much, yeah. SMS may not be especially secure, but it is at least an actual second factor.

My banking app requires a pin (or fingerprint) to read data, and a password to make transactions.

The website requires a temporary code, generated by a card reader and my card. It works like a 2FA code, as I need to _have_ my card and to _know_ its pin.

In Norway most banks have been using 2FA for 15 years or more I think.

Recently however it has become somewhat less strict it feels[0] and I can now log in to my bank app using FaceID or a pin code.

Normal bank websites still demand a code from a hardware token (think RSA key, but with a pincode and sequence-based instead of time based.)

[0]: I realize it might be that they are just as strict only doing more work in background to verify me instead of bugging me.

My bank does. The iPhone app can generate tokens. I get the feeling that US retail banking is way behind Europe.

My brain isn't working right now... Can you tell me why something like google authenticator could not be executed as a website? Does it have to be an app?

Just wondering if there could be an easier non installed version that was always available.

Apologies if it's a really silly question!

You can run TOTP in javascript sure http://blog.tinisles.com/2011/10/google-authenticator-one-ti...

But how do you protect access to the website - with a username and password? Or do people now need to remember another code like "JBSWY3DPEHPK3PXP" to set up the authenticator everytime they visit?

Mobile apps were one way to solve this although the hardware U2F tokens like Yubikey provide another authentication factor in a usable way (and more secure than TOTP because you can't be phished to enter them on the wrong site).

That's right, in fact if people remember that secret then it's not a "second factor" it's just another part of their password. A "factor" in the context of authentication means one of the various ways that can be used to verify someone's identity: "something you know" (password), "something you have" (non-duplicatable object, eg a SIM card or OTP token containing a secret that cannot be easily guessed or extracted), or "something you are" (biometrics).

> in fact if people remember that secret then it's not a "second factor" it's just another part of their password.

This is more generous than it should be. Your TOTP secret is just another part of your password regardless of whether you personally remember it or not; what matters is that, if I would like to be you, I only need to know the secret.

TOTP has a secret which is basically the seed of the calculation. The security basically comes from that secret being only on the phone you have and not being copyable. Moving it to the server removes that proximity. At least thats how i see it, but you could do it very easily server side if you wanted with equivalent security loss.

Having the secret only exist on a single phone is the most secure, but keeping a backup of the secret for recovery if you lose the phone only lowers security a negligible amount if you are careful about it.

If it is an account you set up from home, probably the simplest thing to do is print the setup page before you scan the QR code for the secret. Even better, print the page, and then scan that QR code from the printout. Then store the printout where you keep other important papers (e.g., mine would go in my fire proof safe).

Another possibility is to scan the code on two devices. I scan on both my iPhone and my iPad. Nearly all realistic scenarios that involve me losing both of those at near the same time also involve me dying.

People chasing perfect security by only putting their TOTP codes in one place seems like perfect being the enemy of good. Back up you codes people! Put them in an encrypted file and back that file up in a bunch of places.

Encrypting a file is a bit arcane, but not difficult:

  openssl enc -aes-256-cbc -pbkdf2 -iter 1024 -in plaintext.txt -out cryptotext.dat
Decrypting is about the same:

  openssl enc -aes-256-cbc -pbkdf2 -iter 1024 -d -in cryptotext.dat -out plaintext.txt
I'd suggest writing a couple of shell scripts. You might also want to overwrite the plaintext file with /dev/urandom afterward and delete it.

Do you have one encrypted file with all the codes, or do you have one file per code?

I prefer one file per code. When I get a new code, I make a directory named after the account the code is for, save a screenshot of the QR code in there, save a text file with the text version of of the code and any one-time recovery codes the site provided. I then make a .zip for .tgz from that directory, encrypt that, and save a copy in the cloud and locally. The local copy is in a location that is included in offsite backups.

If you use one file per code, I'd recommend using a public key system for the encryption. That way you don't have to enter any secrets to encrypt a new code. You only enter anything secret when decrypting.

This has a few advantages.

1. Less chance of accidentally exposing the key.

2. If like most people you use the same key for all the files, no chance of unknowingly mistyping the key resulting in a file that you cannot decrypt later.

3. If you need to recover a code, you only need to decrypt that code.

If as you suggest you wrap this in shell scripts, you can address #2 there. Have a reference file encrypted with your symmetric key. For encryption, the script can ask for your key and verify it was typed correctly by using it to decrypt the reference file.

Also worth considering is using an encrypted disk image. I believe that all major desktop operating systems provide reasonably easy ways to create, mount, and dismount such volumes. Whether you use one file per code or all codes in one file, the file or files can live on an encrypted volume that you only mount when you are saving a new code or recovering an old code.

The advantage of that is that there is no need to use any arcane commands or install any extra software.

Having a simple encrypted file means you can stuff it on an online backup though. The point is to have the keys stashed in several places so the loss of any one or two devices doesn't lock you out of your life.

I prefer keeping it as simple as possible since the consequences of screwing it up are a whole lot of hassle and possibly being locked out of some accounts forever. One downside is when you add or change a code you have to update all of your backups. A second script that syncs all of the backup files is also helpful to have.

I could see Apple offering 2FA as a core feature, at least on iOS.

In fact, Apple should redesign Keychain into a user friendly, 1Password-lite product with 2FA built-in (1Password offers this too) or as a separate app that works with Keychain.

iCloud Keychain is already a better-than-1Password 1Password-lite and 2FA itself for your Apple id is built into iOS and macOS. I think the limiting thing there is desktop Safari - you don't really notice the full integration unless you're using Safari on macOS as well.

Apple has had mandatory device-based 2FA for a while now, but it only works for iCloud logins.

Yes, super annoying. Now I can no longer get into my Apple Developer account without walking to my development mac I use to run xcode builds (for a react native app), since for some bizarre reason the only 2FA they support is their own which requires Apple hardware.

It's bad enough their development toolchain requires you to buy their hardware, now to log into their websites you also have to buy their expensive hardware.

Apple continues to support SMS as 2FA. It is a bit hidden when signing in.

I just want TOTP.

Isn't iMessage just as vulnerable to SIM swapping and number portability fraud as SMS?

Once you have control over a phone number, you can register iMessage as that number on a device you control.

It depends. If your iMessage account is tied to an Apple ID used on multiple devices with 2FA enabled then the code is sent to one of those other devices to validate the login on the new device. So if you are fully in the Apple ecosystem and have 2FA enabled then I believe it would be secure. I know I get alerts on my other devices any time I have had to re-add my phone number to an Apple ID. It tells me my phone number is now being used on another device. So at the very least you would probably be notified.

When you get the prompt to input the code, just choose "Did not get a verification code" and it will fall back to SMS.

See: https://blog.elcomsoft.com/wp-content/uploads/2016/03/apple_...

Interesting, I did not realize that.

This is a great find too

iMessage is only tied to an Apple ID for the e-mail part (where they can send iMessage to your e-mail). The phone number part is independent of that and you can take it over provided you prove ownership of the phone number (by inserting the SIM into an iPhone, it'll send an invisible SMS to Apple and back and that then activates iMessage on that number on that new device).

Apple accounts in general also have mandatory SMS 2FA if 2FA is enabled.

Isn't there a registration step for new SIMs with iMessage?

I think there’s an SMS sent without any visual indication and without asking for explicit permission (or I missed it if there was a tiny text warning). I noticed it when I saw an SMS, in my bill, sent to a Singapore number which, as an international SMS, was changeable (SMS is mostly free here).

Why the downvoting? iMessage is a hundred times more secure than SMS. It’s got E2E encryption and a published security paper.



iMessage still depends on verifying your ownership of a phone number and can be taken over with a SIM swap attack.

My understanding is that you don't even need to do a SIM swap, because the SS7 signaling system is insecure. SIM Swap is likely the easiest way as wage-slave employees are quite pliable to bribes[0]. But if you want to be even more anonymous, you can apparently re-route texts remotely [1].

0: https://www.nbcbayarea.com/news/local/mans-1m-life-savings-s...

1: https://www.kaspersky.com/blog/ss7-hacked/25529/

I thought both these vectors were already common knowledge to HN readers.

> I thought both these vectors were already common knowledge to HN readers.

One person can't know everything... that's why I come here. Thanks for the info!

Yep, the security problems with the mobile system are ghastly.

- Stingrays...

- Operator app pushes to SIM cards...

- Secret GSM processors and software internals

- Voice / text / data "ciphering"

- Protocol-level "emergency" tracking features

- Silent SMS (sounds like its from a bad cop show but its actually a real thing it turns out.) "They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone." -- sounds like it has a completely legit use...

The list goes on. It's enough to make anyone want to get the tin foil out. But at least in this case there's a simple and clear recommendation: --not to use 2-factor auth by SIM--.

> sounds like it has a completely legit use...

The original purpose of silent SMS was to send voicemail or missed call notifications to handsets, which would trigger an icon to be displayed on the device. Sending a regular SMS would be annoying as the user would have to delete it - after you've listened to your voicemail, another silent SMS can be sent to turn off the notification. Also originally SMS was stored in the SIM itself which had limited memory, so it would be not be very convenient if you didn't receive a voicemail message as your SIM was full. Remember this is a 28 year old feature of GSM.

The tracking argument seems somewhat mute, maybe when this first came to light 10 years ago it wasn't the case, but nowadays I would be very surprised if operators do not keep detailed logs of all the IMEI (unique identifier for a given device) and IMSI (same, but for the SIM) that connect to their towers.

The SIM Swap would seem to be a bit more accessible to the average fraudster. Hacking SS7 apparently requires setting up a "hub" and obtaining a carrier license from a lax country. That is, until we get to the bit about "illicit merchants offering ‘Connection-as-a-Service’ to such hubs."


> obtaining a carrier license from a lax country

Carrier license sounds much more involved than what it is. It's not uncommon to sell full SS7 access to companies that are not operators in the regular sense.

>SS7 signaling system is insecure

If people knew how telcom (and the internet) was held together with bubblegun and duct tape...

Multiple proposed fixes and replacements to SS7, to the best of my knowledge none of them are going anywhere. And even if it was pushed hard, it has to be a global thing.

Governments and the security industrial complex do not want it fixed. Vulnerabilities in SS7 are features to exploit, not bugs.

More than that it's the amount of work and cost. Average consumer doesn't care about it so why fix something that's not broken. People won't pay more for it

I am pretty sure this is how they got Bezos' texts. All you need to do is register a CLEC and then you can get your official hookup to SS7. My experience isn't with messaging but I'd imagine if you bid* to deliver messages to a certain area much lower than other carriers, you can target people.

* Bidding doesn't happen in real time, but you can tell carriers your "rates" so to speak.

I'm just amazed he was stupid enough to not understand that his texts, messages and devices are compromised.

In the future, the term SIM Swap will likely be replaced with something like "SIM identity theft" so that banks and telecoms are not liable. Then we can all buy SIM identity protection.

Does that mean an authoritarian government can read the location and sms of a number from foreign country without any cooperation from the carrier?

Scary thought

Doesn't have to be government but any one

Not in Russia. Numerous examples exist when victim's number was linked to attacker's sim card to obtain 2FA code, then linked back to victim's sim so he does not notice anything.

This happened both by government-linked parties, where they are able to coerce providers to do it, mostly targeting prominent political opposition members. It also happened without government involvement, done by provider's personnel with sufficient access and some entrepreneur attitude.

The rule of thumb to protect against it:

- do not use SMS 2FA

- if you do, use a foreign SIP number with SMS capabilities

- if you HAVE to use local sim, use SIM that belongs to someone else and noone knows you use it

Just google for "форум пробив" and you will find black market for accessing any kind of information, including SMS, phone location, etc and associated services for hacking accounts (VK, Gmail, etc). You don't need to be a government, it is open for everyone.

That type of service can allow the attackers to access SMS contents, but not from swapping numbers back and forth between SIM cards. And without it, the victim will know he is being attacked.

It's also important to know your threat model. Namely, random attacks versus targeted attacks.

Shitty 2fa will still deter people who get a list of a hundred million emails/usernames and passwords and try them on banks, Twitter etc from putting in the extra work to break into your account specifically.

If you expect targeted attacks - from governments, because you oppose them, from determined criminals, because you have a lot of nice stuff to steal, or from people around you, because you know too many assholes - maybe it might as well not exist, but for most people, most of the time, any 2fa is better than none.

> if you do, use a foreign SIP number with SMS capabilities

Any good providers? I've tried Twilio SMS forwarding, but different services (e.g. Steam) reject it for 2FA since they're pretty much considered throwaway numbers, I suppose there's some sort of blacklist

For UK numbers lookup Andrews & Arnold. They have mobile numbers from a national carrier's numbers block so no way for them to be flagged as VoIP. They work fine with both calls & SMS.

I've had a lot of luck with Voip.ms as a provider for short-codes. Their wiki states that they cannot guarantee they work (which I take no surprise in), but I don't recall having one fail since they rolled it out. I've used it for Signal, Whatsapp, and more that I'm sure I've forgotten. Even better, SMS is forwarded to email - available from my desktop or phone.

I have used zadarma.com, they are very cheap and have an app for Android that works rather well

I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.

Because with 99.99% certainty the person that needs to unlock the account is me, and not an attacker.

Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.

If it’s one thing I have learned the hard way it’s that the most dangerous person in the equation is myself. I won’t trust myself with any kind of security.

> I want my things protected by a human with a process to unlock/reset/.. given some kind of proof of identity.

Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol. Or that human falls for the attackers emotional sob story and takes pity on the attacker and lets the attacker unlock your account. Or that particular human is amenable to bribery to obtain the outcome the attacker wants.

In fact, many sim swaps have been reported to have occurred because of "human at cell phone store did not follow protocol" or "human at cell phone store was taking bribes".

So having a human in the loop is not an absolute solution to solving the problem.

> Anytime you have a human in the loop you have the risk of human failings. I.e., that human forgets to follow critical step X in the protocol

This is exactly my point. If the risk of an attack is X, the risk of me being that person who fails or forgets a critical step of the protocol (backup yubikey, whatever) is a hundred times higher. So this system of “flawed humans interacting” to me looks like the lesser evil.

I don’t want my things protected by foolproof protocols. I‘m the fool you see.

Bingo. This is why crypto currency won't take off without more humane tech being inserted into the process. People aren't robots. We want many many ways to un-screw ourselves when we inevitably screw ourselves.

That's why I'm bullish on things like Shamir's Secret Sharing and other social recovery tools.

It's an iron rule that the more automation, the more important are the humans that remain.

I'm not sure you get this. Google hasn't seemed to get this in the past. They have added some customer support though.

That's how https://jmp.chat/ works, and you can make your phone number as arbitrarily secure as you want with JMP.

Any port-out requests are handled manually - you are contacted by a human to ensure that you made the request. You can ask them to put a verification code on file for you to confirm when this happens if you're concerned about the security of your XMPP account (which itself could use whatever kind of authentication scheme you like).

Good luck trying to use VOIP numbers with US banks these days

In practice it seems to work fine with the banks I've tried. There may be one or two that don't accept numbers whose type is listed as "voip", but they are in the minority.

There is also work being done to update the type field of JMP numbers so they appear as "mobile" instead.

Note this is a pretty recent movement in banking security, several months or so. E.g. Wells Fargo did work previous autumn, not anymore. More can be googled.

Type field is interesting. Not sure this can pass the radars for too long though.

Yup, I have the same misgivings. I hate getting locked out, but at the same time, I'm pretty paranoid and want secure passwords, don't leave copies of them around.

So I've been working on a backup plan. Current incarnation is to use a simple Go cli tool with Shamir's secret sharing algo to break a password into N/M shards. The user can then do whatever they please with the shards, give some to their family, friends, attorney, make a pirate map, get an rfid chip, anything you want.

This would be a nice solution for giving your family access after death too.

They can meet at the funeral to assemble your horcruxes.

Even with a dozen backup yubikeys and spare codes written down I’d still be much more likely to lock myself out than be attacked.

I am not sure this is true. Most people regularly get phishing e-mails and apparently fall for it.

SMS and TOTP (due to the window of time the TOTP code is valid) only provide limited protection against active phishing attacks, since phishing site can 'proxy' the the SMS/TOTP code besides the password.

I think I would prefer losing access to an account (since I make backups of critical stuff anyway) than my account getting compromised, which could lead to identity theft/fraud, etc.

My ideal solution for an ultimate reset/unlock solution would be to show up and have my DNA sampled. Impossible for me to lose the reset key there, and with appropriate DNA extraction procedures, it is nearly impossible to spoof.

The issue with using permanent characteristics for auth is that you lose the ability to revoke one credential in favor of another.

That's not a problem if you have to physically show up though, since no one can spoof that.

As another person said, you're literally leaving it everywhere you go.

If you need a blood sample, then would donating blood be considered compromising security?

Identity is what your DNA is. Password is a secret. Your DNA is not a secret.

I think requiring you to be physically present and having a human take the sample in a prescribed manner serves as an effective 'password' - unless it's a live sample, the DNA is useless.

The movie Gattaca showed in detail how routine spoofing of a variety of IRL DNA samples could work.

I think there's a misunderstanding of what is possible with DNA[0]. We take DNA from dead stuff all the time.

I will agree with "you have to be physically present" is good enough password. This is Yubikey, which works fantastic. The problem with DNA is when it is compromised - you can't throw it away/change it without exorbant effort (bone marrow transplant? and then you're simply taking on someone else's identity? is that identity theft?).

[0] https://www.quora.com/Do-we-require-live-cells-when-extracti...

I think people are misunderstanding what is being suggested here. The idea is that, for example, to unlock your bank account, you have to go to the bank where trusted bank employees will extract your DNA and have it sequenced, resulting in you being given access again. Others cannot spoof being you in this scenario because they cannot implant your DNA in themselves.

Ah you're right. I've re-read it and it is physically present someone verifying you using your DNA.

Which I agree, that works great, but quite narrow in the the use cases at that point.

Consider if you're kidnapped and extracted DNA in unwilling manner

I've built something around it. It's not 100% but gets you to 99%. Dontport.com

I'd be curious to know what the 11 potential tests are. Your website doesn't seem to list them anywhere.

That's exactly what they did in the movie Gattica- it's hard but seems totally possible. I'd rather have multiple revokable keys.

Your DNA can show up all over the place.

>with appropriate DNA extraction procedures

Carriers have already demonstrated their complete across the board failure to have appropriate security procedures. Your DNA isn't hard to find, you leave it literally everywhere you go.

And do you really want mobile carriers creating a DNA database of their every customer? The same companies that already sell your location data to bounty hunters?

That's going to be a big no thank you from me.

While I basically agree, why do you think they'd need your actual DNA? Wouldn't it be hashed?

Consider identical twins, mothers, and organ donation or blood transfusion recipients.

This is where countries like India are going with Biometric Auth plus 2FA (though the implementation has issues). The government provides a public API for sending fingerprint or Iris scan data plus SMS 2FA to authenticate identity with a cost.

Worth noting that this is just for US and for prepaid SIMs, from their paper “We examined the types of authentication mechanisms in place for such requests at 5 U.S. prepaid carriers—–AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless”.

It doesn’t mean that for the rest of the world SMS 2FA is completely secure, it’s just a lot more difficult (or impractical/impossible) to do a SIM swap so easily. As mentioned in another comment below, SS7 vulnerabilities are another attack vector, globally available and without requiring a SIM swap.

These 5 carriers were studied, but where's the evidence that any other carrier is any better (or that you're any better off as a post paid customer of AT&T, T-Mobile or Verizon)?

MetroPCS (prepaid MVNO now something like a subsidiary of TMo) required the 8-digit PIN on the account in order to change IMEIs. A bot would take down all the info, then if/when it was to a phone you'd never used on their network before, you got put on hold to wait to talk to a human and provide your PIN and new IMEI all over again. Then you'd hang up, power off, and move your SIM. But that was ~18 months ago, before it became "Metro by T-Mobile", so I don't know.

The rest of the developed world is using a same way to verify a person - by providing your document. ID card or passport.

I thought this was going to be one of the otherwise-plaintext black and white web pages with <h1>NO.</> centered in the middle, but interestingly it's actual research, and a nice read (even if nothing new) at that.

If it's nothing new then why do people keep saying it's better to have SMS 2FA then to not have it. The research says "websites should eliminate SMS based MFA altogether".

The answer is no, but is it more secure than no 2FA?

Of course there are much better 2FA options, but for the general public, they are probably too complicated to use.

Everyone understands SMS.

Have you seen the prompt system, as used by Google, Micosoft, Okta, et al.?

In my strictly personal opinion, responding to a notification that asks if a login attempt is you is clear enough that people need minimal training to make use of it. This might just be me, though.

In my career, I've definitely seen people actively choose SMS over other factors on offer. It was easier for them, and in many cases shouldn't have been offered. Your point about SMS being better than nothing is wise and true and insightful, but it's perhaps not always the question as faced in practice.

They (and similar corporate 2FA solutions like PingID and similar systems used by banks) basically assume uninterrupted access to the internet which is generally a poor assumption. It often breaks down when you're traveling either due to network or roaming issues just when you desperately need access.

In all these situations, I've found companies which offer a back up SMS option very valuable since it usually gets delivered.

I'm pretty sure the Microsoft authenticator has a backup TOTP token you can have it display if you have issues receiving the notification. It is quite a user friendly auth scheme, at least I've never had to resort to any kind of SMS backed auth.

In my opinion, that sounds like precisely the sort of system that should not offer an SMS fallback unless the goal is to create a false sense of security in the user. But YMMV, I don't generally need to access my online banking applications when I don't have useful internet access.

I tend to use TOTP for systems where I'm concerned about offline usage. But again, YMMV.

Yeah, and my local walmart has a section where there is no network coverage; I was browsing the store and wanted to check something on my bank app; it prompted me for SMS code, which I didn't receive because of no network; & I would not have received the Google prompt if I needed one for the same reason.

HOTP-based 2FA systems (like Google Authenticator) do not require internet connections.

Don't most folks uses TOTP-based schemes with Google Authenticator?

Unless you're using HOTP to mean HOTP and all extending schemes.

The problem there is that it's not very clear that you didn't trigger the login yourself.

It's been my experience that it's often reasonably clear to users that they did perform a login themselves in the past few seconds. Adding an approximate location and a short verification token to the prompt generally helps.

Your experience and standards of clarity may be different from mine, obviously.

I think at some point goolge used SMS 2FA as a sole factor in account recovery. So there, you really were worse off with SMS 2FA enabled.

This is really a criticism that Google called their system 2FA but actually was using it as a sole factor. That's bad security and bad naming. Had they actually used it as a second factor, then you would have seen a security benefit.

Well if that's the case they could still offer true MFA. Make at least SMS 2FA mandatory but offer OTP/token based MFA.

Obviously banks are a place with a lot of low-value targets and a few very high-value targets, but the cost to implement MFA is the same so they might as well do it.

Yeah, the by far biggest cost of 2FA is the recovery process which you need anyway, not actual 2FA implementation.

Awareness may make providers more willing to switch to a better 2FA, such as TOTP.

Sadly, providers seem to be going the other way. I had a service try to bully me into disabling TOTP in favor of SMS 2FA this week.

Because they want your phone number. They are more and more used to link to identities, as people tend to keep (and port) their phone number

Hint: if a store ask for a phone number to get a discount, try the local areacode then 634 5789. This is from an old song, and many people seem to have created "anonymous" account with it!


In Switzerland, we have Mobile ID: https://www.mobileid.ch/en

It uses the SIM to implement a challenge-response mechanism where a PIN is prompted by your phone. While not perfect, it's vastly better than using SMS, without being less convenient.

I don't know if other places leverage the fact that SIMs are smart cards which are perfectly able to perform this kind of stuff given the proper infrastructure.

In India,

if you get a SIM replaced after providing proofs of identity, residence and biometrics, it would get activated after few hours.

The kicker is that it wont get SMSes for 24 hours after the SIM is activated.

In the US, won't it be cheaper as well as secure to get a virtual phone number from Twilio for purposes of two factor authentication? (In India, there is no service at the rate what Twilio offers, but there are some which charge around $30-$40/month for virtual phone numbers with incoming SMSes)

Airtel also makes you to accept that SIM Swap request on old sim if you are not coming in person to a store with ID documents; most of which is Adhaar number verification.

How does this work?

Presumably there's an applet in the SIM card that holds a key pair and allows you to sign stuff by providing the SIM PIN. You interact with it via STK which is an old standard allowing SIMs to tell the phone to draw rudimentary UIs and ask the user for input.

I'm not aware of the details, but I imagine something very similar to EMV payments.

The only difference is that you need to register your SIM with the service beforehand, using a reasonably secure process. Banks make you use their own MFA before you can enable Mobile ID (and no, it's never over SMS).

Protip: security is not black and white

The word "secure" is not binary.

sms as a 2fa is secure.

Just not as secure as a authy totp account

...which is not as secure as a unclonable totp system

...which is not as secure as a hardware token based otp system

...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.

To defeat the Authy account recovery process, you need to perform an active SMS attack (SIM swap, etc) and then prevent the target from seeing the recovery warning emails for 24 hours. Therefore, Authy customers should only tell trusted people that they are going on a weekend off-the-grid camping trip.

The big benefit of SMS for the website is that it outsources the problem of lost 2FA tokens. What happens if the user loses a yubikey. Or changes phones and did not back up their TOTP. With SMS authentication, even if the user loses a phone, they can go down to the local cell phone store and get a new phone on their number and be back in business without the website having to get involved.

> What happens if the user loses a yubikey.

Always buy two. ;-)

Joking aside, I've moved almost every 2FA to hard token, soft-token, or google voice. But the root of trust is still LastPass & Google. I don't see an easy way out of dependency other than power of attorney. Even worse: I worry what happens to my protected assets as I age and possibly face memory loss.

Bad idea: google will disable your google voice after some time of not logging in.

I got bitten in a bad way!

Hopefully twilio will start creating "recognized" numbers someday, as my twilio number is unusable for TOTP. There seems to be a blacklist of all twilio voip numbers.

Interesting! I generally check it once a week. Any idea what their timeout is?

Backup access in a bank safety deposit box is what I do.

I read an article here some time ago that banks take no responsibility if they lose/destroy the contents of their boxes as someone learnt the hard way with precious family possessions.

Right that's why you should verify your backups every year.

No place you store your backup can guarantee it won't be lost or destroyed.

Having either a second yubikey or a totp app as a back up is a wise thing to have. Seriously.

github & gitlab require you to register a TOTP authenticator app before you can enable U2F (presumably to avoid manual resets, although they don't say)

google's enhanced protection requires you to have 2 distinct yubikeys to sign up

Double-edged sword.

Your website is outsourcing security to any company which can service a cell phone account, which may be better than your website security or worse.

I know that google branded “titan” yubikeys come in pairs. One is for keeping in a safe place for recovery.

The title is mangled, because someone misparsed the question.

The question is "Is SMS 2FA secure?", not "Is SMS 2FA-secure?" There is no such property as 2FA-secure.

Title should read: "SMS 2FA is not secure".

I agree. "SMS is not 2FA-secure" implies SMS is not suitable for 2FA at all. In reality, SMS 2FA is still very valuable to most people, even though it's not secure enough.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact