[hn_throwaway_99]

> Than TOTP?

Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.

> Than email?

Probably not much better than email for most users, but I guarantee for a large subset of users the SMS experience is better. With email you need to go to a separate app/page on the same device, with SMS you get a notification on a separate device or a notification popup on the same device (that usually lets you easily copy the code). Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.

> The problem with SMS is that it adds additional vulnerabilities through sim jacking.

Then fix the SIM-jacking problem. Which, I'll note, phone companies have made a lot of improvements in making this harder, and in the US government has gotten involved in making this harder.

Most importantly, note that SIM-jacking is really just a "how do we verify someone who lost a device" problem. That exact same problem exists with TOTP and hardware keys. All we really need are uniform guidelines for proving identity when a device is lost so you're not at the mercy of some low-paid, outsourced service rep to keep your account secure in the face of a persuasive bad guy.

[insanitybit]

> Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.

You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.

> Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.

I don't really care about usability when the solution is strictly worse than doing nothing. Like, to be clear, users would be safer without SMS if they just used a unique password. SMS is a terrible solution that really only solves "you used the same password across two sites, one of those sites got popped, the attacker doesn't have access to the common tooling to phish your SMS, and you can't figure out how to use email apparently".

> Then fix the SIM-jacking problem.

It's a lot harder to fix "make SIM recovery safe" than it is to fix "make email recovery safe" because phone numbers transfer all the time and emails rarely do. Further, almost all account recovery ends up falling back to email natively, so there's no additional attacks added.

At the end of the day:

1. Every modern browser supports a synchronized password manager, which makes all non-FIDO2 MFA basically useless

2. SMS 2FA adds additional attack surface through SIM jacking

3. Every modern phone is a FIDO2 compatible token

SMS 2FA is simply a technology that has no place. Attacker tooling has already started to adapt to non-FIDO2 MFA so the time for that approach is just over, the best thing we can do is stop pushing for adding new vulnerabilities just to fail to solve a problem that has trivial solutions.

In short, it adds nothing over other techniques and it strictly increases attack surface.

[orev]

>> Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.

> You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.

As soon as the lost TOTP keys was mentioned, this is exactly the type of response I was expecting, and it shows how far out of touch tech people are with “normal” people.

MFA login is needed because general people are so bad at managing their passwords (using simple ones, re-using ones that have been leaked, etc) that the tech side had to just give up asking and start forcing everyone to use what is essentially a one time password.

If users were conscientious enough to know how to store backup codes, etc, then we wouldn’t have the problem of bad passwords to begin with. So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

[insanitybit]

> So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

Not really, no. I'm actually advocating against non-FIDO2 2FA entirely because a strong password is just as good and every browser has a password manager built in now. 2FA doesn't add security, SMS 2FA makes things worse.

[hn_throwaway_99]

Built-in password managers (at least Chrome's) suck:

1. These days, most people use passwords across browsers and native apps. In-browser password managers don't really support this use case well, at all.

2. At least in Chrome's, you can't manually add a password or add any notes.

3. Sometimes login domains change, and since the password is only tied to the domain (not a generic name), it's easy for passwords to get lost.

Again, nobody is really disagreeing with you that the situation is less than ideal or that there are more secure alternatives. But you seem unwilling to accept that a huge swath of the population sucks at secure password management, which is why SMS 2FA is a "lowest common denominator" option to improve security.

[insanitybit]

I think the main contention here is that I'd say users should just do nothing. SMS 2FA sucks and it's going to be a horrible tech debt that we're paying off for decades. We have better alternatives that, for a huge number of users, are perfectly acceptable. For everyone else, yes, they will have to use stronger passwords.

I really don't believe that there's some huge cross section of users who simultaneously:

a) Will go through the hassle of enabling and using SMS 2FA

b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token

c) Won't use relatively unique passwords for high value websites, password manager or not

IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.

I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.

[RijilV]

> SMS is a terrible solution that really only solves "you used the same password across two sites

Right. That’s the sole purpose. People pick bad passwords and reuse them, but you already know that.

As much as tech tries to make this easy people, it’s a horse-vs-water problem. Even smart people refuse to use to use password managers. Most of those people have figured out how to receive text messages.

Seriously, go find someone who owns a JitterBug phone and watch them create a new account on the website of your choice. We’ve got a long way to go.

[insanitybit]

Instead of pushing a non-solution that trades one issue for another we should be educating people on password managers. Every major browser has built-in password management.