[colechristensen]

The back door is either automatic or human account recovery tools.

These tools generally put way too much trust into the phone number and allow someone who has compromised that number to take control of anything it has ever touched.

Phone numbers are very public and easy to steal in ways which are difficult to defend against.

Imagine someone in a domestic abuse situation having their phone taken, with sms 2fa, how hard would it be for that person to recover and retain access to their accounts and services?

With SMS 2FA someone who knows you personally and has control of your phone number is nearly impossible to escape.

All the adversary has to do is say "oh this was linked to my old number" and account support is super likely to just give access away.

You would have to be somewhat of an opsec expert to escape that hell, and even if you know everything it becomes impossible to defend yourself against the owners of your accounts giving access away.

The only real defense is to never associate your phone number with personal accounts which even then is often not possible.

[robbya]

You're talking about account recovery, not 2FA. A website can use my phone number for account recovery even if I'm not using SMS as 2FA.

I agree with everything you said about SMS for account recovery.

Account recovery that uses a phone number is weak. There was a paper on HN this week that detailed this.

However, if we are going to compare SMS 2FA (I.E. password plus code sent over SMS) against just password, SMS 2FA wins. In both cases I need to steal your password, the SMS part is an added challenge although it's easier to bypass than many people want.

Given SMS 2FA and any other 2FA option, SMS 2FA loses.

[colechristensen]

In an idealized sense, sure. But not for a practical situation.

SMS as an authentication factor weakens the security because of all of the additional behaviors associated with the account provider which are inescapable.

[robbya]

Edit: looking again, I see what I missed.

> The only real defense is to never associate your phone number with personal accounts which even then is often not possible.

Yes that's exactly right. If I don't trust a website to not use my phone number as the sole factor for recovery, then I should not use SMS 2FA on that site and I should not add my phone number to any part of my profile. If I know (how?) that the website won't use SMS for recovery, then SMS 2FA is better than nothing.

As a website owner, if I offer SMS 2FA auth and use SMS in isolation for recovery, then I'd want to stop using SMS for recovery. After that, removing SMS 2FA and not offering any second factor would weaken my security. I.E. SMS 2FA is weak but better than nothing. SMS single factor recovery is terrible, fix that ASAP.

[colechristensen]

It's one of those things which, technically, can be done correctly. However, it isn't. It provides an incentive to do bad security which is bad for providers because their security will have a tendency to devolve into bad-factor recovery and it's bad for users because it makes them comfortable with a security factor which is easily defeated.

It might be good for your use case, but systematically SMS is bad for security in a global society sense.

[robbya]

> Imagine someone in a domestic abuse situation

Depending on how abusive you are thinking, that sounds like rubber hose cryptanalysis. That's a hugely powerful approach and I think all 2FA can be bypassed with that, if not most of modern cryptography.

https://en.m.wikipedia.org/wiki/Rubber-hose_cryptanalysis

> having their phone taken

Keep in mind that other 2FA methods also are phone based, like TOTP / Google Authenticator. Those also fail if your unlocked phone is taken. SMS is even weaker than those, but still better as a second factor versus nothing.

[colechristensen]

It is, in many ways, a worse vulnerability than rubber-hose cryptanalysis. When you run away from the person with the hose, you can change your passwords and they won't be compromised any more.

If somebody has your phone, a physical address associated with you, and some basic biographical information, they can continue recovering access to your accounts in a way which is difficult to escape, especially because of the misplaced trust in using phone numbers for security.

The threat in that situation is being vulnerable and having to digitally escape as well as physically escape, and if you don't do both simultaneously you can be continuously compromised in a way which is very difficult to succeed.