It's also time to stop using medium for anything. I wonder if the author really opted to unpublish this piece from the internet, or if they just got defaulted in when medium "released a new feature"
I just migrated my blog and popular posts from medium. I noticed a ton of issues as well. What's interesting is that a metric ton of traffic to domain is directed at articles unrelated to me. Somehow medium was serving a ton of content on my domain which is a huge issue for me.
SMS is not perfect for security. But SMS is better security than no 2FA at all, and for many (most?) situations, more-secure alternatives aren't viable. The deprecation of Authy or loss of keys has left me permanently locked out of a few accounts. YubiKey and similar aren't ubiquitous enough or usable enough for many users. I've experienced these problems personally and I'm likely in the most technical 1% of users you're likely to encounter. SMS is ubiquitous and users understand it, and is secure enough for many situations.
If you're running a service that requires a high level of security, fine, force users to use TOTP/HOTP or something, but be aware you're going to be excluding some users and adding to your support costs by doing that.
I disagree that SMS two factor is more secure than a password alone. I have found that once you enter your phone, it is more trusted than your password (meaning it alone can reset your password). A phone number is as secure as the least competent support person at your phone provider.
A password, with email reset is better. My email has two factors of authentication, rather than whatever my phone provider requires as proof.
What you describe isn't 2FA, though. "SMS two factor" fundamentally precludes the idea that the second factor can be used as a primary factor as then it isn't "two factor" it is "one factor".
Yes, it isn't technically an issue when it is purely a second factor. But it almost always ends up being trusted enough that the support team will reset your account with just that info.
This is a MANGA+ problem. I even have my password (and user and IP), but I cant login because google wants me to confirm a phone number I no longer have.
LifeHack: Dont setup a MANGA account with a phone number. Leave phone# for banking and other important logins.
> I have found that once you enter your phone, it is more trusted than your password (meaning it alone can reset your password).
Sure, but my answer to that is simply, don't trust users' SMS more than their password. You should require two factors of authentication to change settings on any authentication factor (i.e. SMS and email to change password, password and email to change SMS).
Maybe for some users, but to many like me, this is an annoying assumption for a service provider to make. If I'm forced into adding an insecure method like SMS, I feel that it needlessly weakens my overall security posture. With effort and diligence, it's possible to manage a single strong password securely, but there is absolutely nothing I can do to use SMS securely, so the degree of security I can aim for is limited.
I think the right approach should be to allow the user to opt into such insecure methods, but to never force them to lower accept a lower standard.
Yes. SMS is completely about raising the insecure people to some base level of difficulty to compromise. This is often at the cost of more secure individuals.
The problem is that you can't force users to use a decently strong unique password. You can force them to set up SMS 2FA (with very minor exceptions of people without SMS access). Moving the base bar from credential stuffing to SIM swapping is a huge upgrade for big services.
> you can't force users to use a decently strong unique password
unique is the key word. you can certainly force users to use a decently strong password, but not keep them from using the same password at every other website.
Sure. To be clear, I'm not saying "force users to use SMS". The ideal solution for most (not all) situations, in my opinion, is to require a password and one of HOTP|SMS as a second factor.
None of that is required to compromise SMS. A SIM swap is much easier to accomplish because the cellular carriers have historically had woefully insecure policies and their support agents could easily be socially engineered into moving your phone number to an attacker-owned SIM card.
In Europe I have never heard any stories about SIM swaps, so I do not believe that they have high chances of success, like it is said to happen in USA.
Therefore, at least here I find SMS as a 2FA more convenient than the alternatives and I believe that it is secure enough for most uses.
I wish someone could tell me how bad is SMS for 2FA in reality, because every time I hear about it it's worded as if someone could gain access to your account JUST by stealing your SMS, which is exactly what TWO factor authentication would prevent from happening.
I've been under the impression a lot of scary articles about it are talking about single-factor recovery methods that use SMS, such as password reset systems.
I also think it's weird how e-mail never seems to be counted as a form of 2FA. If everyone used e-mail as 2FA, then I'd only need to secure my e-mail account.
If my passwords are saved locally in my computer, isn't the computer "something I have"? Holding a phone number in a complex system of telephony is the most weird "something you have" you could come up with.
You've basically backed into the logic of passkeys as well. It's all about _provably_ having the thing you have. Basically everyone is storing their passwords on their computer anyway, if at all, so the computer is the thing they have. Why not make that the factor instead of a string?
>Passkeys are a new way to sign in to apps and websites. They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.”[1]
Hmmm... is THIS the vectors people are considering when they make these things? I mean, it makes sense, but it does put it a whole different perspective.
Am I correct to think that these aren't real problems if you use passphrases instead of some cliched password?
Because you can steal my phone and get through the lock screen to access all my stuff with the passkey, but you can't get my master password out of brain lest you put a probe in it.
Passphrases and a browser extension, basically. The Passphrase can still be stripped off the wire and used later while passkeys are phishproof and single use.
As someone working in telecom, we often hear customers telling us that their bank account has been wiped clean. How did they get there? Sim swap. A bad actor manages to transfer the phone number into a sim card they control.
Now they have potential access to all accounts where you use 2FA.
But that's just one of the FA's? In fact you could argue any 2FA account is 3FA.
For example, to break into John's account at bank dot com you need to know:
1. John's username.
2. John's password.
3. The code the bank sends to John's SMS.
I guess for a lot of extremely important things the username is public information, so that one is easy to get, but you still need the password besides the SMS.
Where are these bad actors getting the users' passwords from?
It seems you already need to have a leaked password for this SMS attack to mean anything, which I assume isn't something that happens very often. From how often I heard about SMS 2FA being bad, it sounds like it's worse at locking your account than 1FA, and that's what doesn't make sense to me.
The thing about SMS is it's comparatively neutral. It's not proprietary like imessages, not a mitm attack like whatever the protocol google tries to insert for you is. With respect to authentication, the same applies. I see companies now forcing you on to an app ostensibly for 2FA but obviously just to ransom you into the app to up their metrics. And SMS works on dumb phones.
How many sites actually do that? Microsoft does it for the device compliance/SSO/push notification stuff. Heck even we (GitHub) don't push the app and require TOTP or SMS first if you want to use the app.
I'm not keen on giving out my phone number and not looking to grab another SIM just for sign-ups.
I can use a temporary email for a quick test, or even create a dedicated email for your service that includes two-factor authentication (2FA) for extra security. I might opt for a privacy service like DuckDuckGo or Apple's "Hide My Email."
A phone number, which requires being attached to a passport/ID? I'd rather stop using your service than trust you with that data.
You can rent a phone number from Twilio for $2/mo and forward incoming calls and texts to your phone number. Although as of recently you can't send texts unless you do some dumb identity verification thing.
Except many/most services will not trust any "VoIP" phone numbers, because the real reason they want your number is not 2FA, but instead sibyl resistance. If you force scammers/fraudsters to burn an "expensive" number (yes, $4/mo prepaid SIM is expensive) then you get less spam/fraud.
By the way, don't use Twilio. You can get a phone number from someone like BulkVS or Anveo Direct for literally $0.06/month.
Did you happen to transfer that phone number from a land-line to a mobile? Sort of like geo-ip systems, the SMS providers like twilio track blocks of numbers and label them as land-line or not, and refuse to send SMS to landlines. Unfortunately they're quite stale and don't account for the possibility that users could switch their number. They have ways for the user to reach out individually and fix their number, which is... Dumb.
My phone number was once a Verizon number. Then Google Voice. Then Google Fi. Then, since Google couldn't transfer my number from Fi back to Voice, and Fi left me stranded multiple times with a non-functioning phone, I transferred out to Telnyx where I have my own little scripts that forward calls and forward/reverse-fwd SMS to my email. It's brilliant for my lifestyle - bouncing around countries with a different eSIM every month or so.
Idk, I get why it's the way it is but it's asinine and annoying as hell.
Will not happen anytime soon. Tied to an actual identity (anon prepaid cards are no longer available in most countries), easily deployed at scale and across all population types (think older people), no app needed, and compatible with 100% of all mobile phones.
Because, over the last five or ten years, MFA has been adopted as a best practice and it’s easier to check the box with SMS than to get all your users to install a TOTP app. (another example of “Best Practices” being actively harmful: people should use passkeys now)
In the past two years or so I’ve seen the floodgates open for un-opted-in email-based 2FA, usually tied with “known device” recognition. This is obviously more secure than SMS but I just wish it weren’t less convenient, especially on mobile (specifically talking about the iOS 2FA iMessage input method integration)
By contrast I feel like SMS 2FA increasingly is not an option, or at least not the default.
Almost no sites I interact with outside of big tech offer TOTP or FIDO2, which is a real shame.
I don't see how email-based 2FA is more secure than SMS.
With email, if an attacker gains access to my email account she can remotely de-auth my mobile device's email client, reset my password for service X, and sign in to service X without my knowledge (assuming I don't notice my email client has stopped working).
With SMS, if they gain access to my email account, I at least get the notice of the attempted login via SMS and can take appropriate action.
SMS is architecturally insecure. It’s been demonstrated time and time again that cellular providers cannot effectively prevent SIM-hijacking via social engineering and other means. Email isn’t perfect, but I believe that my account is much more resistant to takeover than my phone number is.
Anyone tracking signup conversion will realize that phone numbers are autofilled whereas 2FA requires an installation for a greater number of users, leading to drop-off.
2FA apps also require me to do many more actions as opposed to SMS as notification. Would be much better if there was some sort of nudge mechanism for phone to display the proper code.
Microsoft does this. eBay also. And steam. Once you install the app, any time there is a sign in, you get a pop up on your phone. Yes/no button. Very convenient.
Yes, SIMs can be swapped and SMS can be eavesdropped. But SMS 2FA has some qualities hard to replicate by other solutions:
Reliability. It's extremely hard to accidentally break a SIM card. If you drop or drown your phone it may easily become inoperable, but the SIM will be still OK and ready to work in other device.
Availability. If you somehow destroy your SIM it is reasonably easy to get a replacement. Properely and securely backing up an app-based authenticator is difficult. Enrolling multiple authenticators is cumbersome and sometimes not possible at all. Migrating to new device is as easy as it gets.
Attack discovery. If you are being sim-swapped, you will notice immediately as your phone stops working. If someone is eavesdroppoing your SMS OTP you will notice as you will receive unsolicited authentication attempts.
Attack scope. The attack must be targeted as it is much more costly to do it in larger scale.
Attack mitigation. You can take back your stolen SIM as opposed to leaked keys.
I'm not saying SMS is best solution, but it is good enough in many aspects. Other solutions are best in one aspect and much worse in others. SMS strikes the right balance IMO and can be rasonably secure when used as second factor. (Not first and only!)
Maybe for security, but the proprietary alternatives to SMS are worse. Some have ads, some have interoperability problems, some have spam, and some get shut down when the vendor loses interest. If all you need to say is "I'll be 5 mins late", it's hard to beat SMS.
