Further to this, it is also why I suggested the pattern workaround for older browsers.
You shouldn't find yourself in too much trouble in a browser if you add an attribute to an element that it doesn't understand though, it will just ignore it.
I’m actually paid to say that too ;) . In fact, SIM swapping isn’t the only weakness of SMS, take a look into the SS7 network and how that allows for a rogue operator to redirect SMS messages too.
At Twilio, we have APIs for two factor authentication and we recommend implementing via push notification to the Authy app with “approve” and “deny” buttons. This is more secure and a better experience than SMS. The API also allows for regular app based 2FA, with a TOTP code, which is more secure than SMS. But it also allows you to fallback to SMS, which is still more secure than no 2FA.
You do have to consider the threat model for your own application when considering these sort of security measures. If the value of an account takeover is high then a targeted attack can, and will, break SMS 2FA. Which is why the Twilio 2FA API allows you to turn off SMS 2FA if you choose.
Ultimately I’d prefer SMS over nothing when it comes to 2FA, but I also encourage developers to use more secure options that can also have a better experience.
I'm not advocating for poorly implemented 2FA, just that SMS 2FA is more secure than just a password.
If a site required you to have a 32 character length password, but kept the passwords in plain text, that wouldn't make your password any less strong. It just opens a different attack vector. If a site implements 2FA via SMS, but allows password reset via SMS it doesn't make SMS 2FA less secure, it makes that sites implementation incorrect.
SMS 2FA isn't more secure than just a password. It actually opens up holes.
When my gf lived in Malaysia, she added her phone number to FB and forgot about it. Years later, after having moved back to Vietnam, the number was recycled and someone was able to use that number to gain access to her FB account and reset the password.
Had she never added her number to FB (and you can extend this to any service which offers SMS 2FA), her account would have been safe.
I'd argue that Twilio should remove SMS 2FA as an option. Period. Just move on from it. Please.
The security hole there is using SMS as an account reset, which makes it a one factor solution (see other discussions of this in the thread). The error was in that implementation, not in SMS 2FA in general.
But as I said towards the end of the previous comment, if you deem the threat to your users great enough that targeted SMS attacks are a problem, you can turn off that fallback.