[arekkas]

Yes, this is definitely true. However, there are use cases and companies who rely on SMS based two-factor:

- Using SMS for phone verification

- Using SMS for mobile login (think dating apps for example)

- Using SMS for two-factor where other factors are not available / convenient (often in emerging markets)

SIM Swap Attack, SIM Port Hacking are all real, but as always in security it comes down to your threat model to decide what's acceptable risk and what isn't.

Hope this makes sense (maintainer here).

[ravenstine]

Plus you have to consider the amount of support you inherit when using something less universal (and generally fool-proof) than SMS.

"The one-time code won't work!"

"The authenticator app doesn't work!"

"The email takes forever to arrive!"

"I never got the email!"

Most of that sort of thing goes away with SMS. It's not that SMS never fails, but every mobile device takes it, it's relatively simple, and very reliable. An alternative approach may be more secure, but require more hand holding, and not every organization wants to do that.

In a similar vein, it's not necessarily prudent to do everything that infosec experts espouse. For an analogy, businesses should consult lawyers, but if they follow every bit of advice from a zealous lawyer, they might never take necessary risks that allow the business to achieve excellence; as well, they may need to dedicate substantially more time and effort on compliance.

[skinner927]

Meanwhile, the AT&T mobile network is down in the US, heh.

I do agree with your statements.

[ravenstine]

Gotta admit, it's a funny coincidence. Stupendous timing, AT&T.

[asdaq1312512]

> - Using SMS for mobile login (think dating apps for example)

Dating apps in particular seem to be a problematic example to me. In some regions, phone numbers change owners quite easily (e.g., no possibility to port a phone number to a new contract, and quick re-cycling of the phone number when a contract is terminated).

[zinekeller]

To be fair, it really depends on the region you're operating. Some regions (like most places in Asia) use this as the primary identifier (instead of email), so despite the very obvious security flaws you might be simply be forced to offer it.

[jhugo]

Right, by this point the global norm is to rarely, if ever, use email (or a computer larger than a smartphone) unless you work in an office (and in some places not even then). The phone number is the primary identifier for mass-market apps in most countries.

[andix]

It's not just emerging markets. Many people are not capable of setting up authenticator apps, not everyone is a "techy" and not everyone is smart. Those people use the internet too.

SMS token is something that is much easier to use. 2FA with SMS is still a lot of added security in comparison to no second factor at all. Especially for people who use insecure passwords.

[ofrzeta]

> Many people are not capable of setting up authenticator apps, not everyone is a "techy" and not everyone is smart.

That might be true but on the other hand most companies using Teams etc. will be introducing 2FA with the MS Authenticator App. Techie or not, you need to install an app and scan a QR code.

[andix]

Once again, not every person using the internet is working for a company.

If you don't know anyone that will just laugh at you when you tell them "it's super easy, you just need to install an app and scan a QR code", then you're living inside a bubble. Every year at my mums birthday party her friends already queue up in front of me, so I can install some apps for them.

[ofrzeta]

Are they too stupid (I don't mean that in a condescending way) or just too lazy? I know several elder people (75 to 85 years old) that have no problem installing apps on iPhones. On the other hand I know others that "play dumb" but I think it's mostly an issue of fear.

[Terretta]

It doesn't "add" security, it "adds" an account takeover path.

[andix]

How is a second factor adding an "account takeover path"? You're not seriously saying that adding a second factor is reducing security?

We can agree that password reset via SMS token is bad. It basically reduces everything to one factor login via SMS.

[Terretta]

I agree with you, SMS as implemented almost everywhere* is bad, adding an account takeover path (the reset by SMS) with insufficient value-add to offset that 100% guaranteed (see research I linked elsewhere in thread) path to account takeover.

And as to "You're not seriously saying that adding a second factor is reducing security?" -- yes I am, when it's not a second factor, it's implemented as an "only factor".

To that point, btw, I'd linked to your other reply about resets from a couple of mine: https://news.ycombinator.com/item?id=39467039

* Note: And by "as implemented almost everywhere", I mean so indistinguishable from everywhere that that effectively boils down to "SMS is bad", much easier for users and builders to understand, when better options are available.

[Terretta]

It mostly doesn't make sense, unless used exclusively as second factor, never only factor.

- phone verification: OK, but this wasn't about that, and having to have phone numbers in a database means you're maintaining PII, which is a liability, see regulator-related story below.

- mobile login (think dating apps): should be passkey, sign in with Google/Apple, or oauth of users' choice, see Twitter story below

- two factor where other factors are not available: in the case of SMS this actually means for two ways to get into the account, not two factor, see IsSMS2faSecure slides below.

SMS is an anti-pattern, generally less secure than a good password (something you don't even need to know w/ passkey) and biometrics (something you have/are) as it opens your threat model up to anyone with social engineering skills to take over your account (something anyone can do).

This was demonstrated dramatically a few years back by a research team calling the phone companies and being 100% successful on major carriers.

The slides here are eye opening if you're thinking SMS is a good idea:

https://www.issms2fasecure.com

https://www.usenix.org/system/files/soups2020-paper16-slides...

We have the $400M FTX sim swap and this year the SEC's sim swap to remind us nobody is immune when SMS is at play, and people can't claim to not know about it since it's now widely covered:

The FTX case highlights a growing awareness among prosecutors and regulators of the ease and prevalence of SIM swap schemes. Reading the Powell indictment is not unlike reading one of the hundreds of credit card theft indictments that federal and state prosecutors pursue each year. As far as frauds go, SIM swapping is low-cost, unsophisticated, and rote. But, if you’re a criminal, it works.

SIM swapping works largely as the result of vulnerabilities in the telecom’s anti-fraud and identification protocols, and as the result of relatively weak anti-fraud and identification verification procedures used as the default for all too many online service providers, including financial services firms.

https://www.coindesk.com/consensus-magazine/2024/02/12/the-f...

https://finance.yahoo.com/news/sec-blames-sim-swap-attack-fo...

https://www.theguardian.com/money/2024/feb/19/sim-swap-how-y...

It keeps getting worse:

"US insurance firms sound alarm after 66,000 individuals impacted by SIM swap attack"

https://www.bitdefender.com/blog/hotforsecurity/us-insurance...

Bottom line, and putting this "global user" story to bed, if Twitter can dump SMS across emerging markets (not a lot of blue checkmark subscribers), so can everyone:

https://techcrunch.com/2024/01/23/x-adds-support-for-passkey...

All that said, @andix is correct in that if you're going to use it, you must not allow password resets or account takeovers with SMS. SMS must be strictly second factor, never "only factor": https://news.ycombinator.com/item?id=39467039

[bonton89]

SMS 2FA is only ostensibly about security. Mobile providers always sucked at it and never advertising that they were selling high quality identification services in the first place. They've actually gotten better at it but it wasn't ever there thing and still isn't.

Phone numbers are excellent PII for user tracking though AND allow companies to dump a lot of the hard support work on some one else. Gobbling up PII to sell and externalizing the hard support stuff to some one else is how tech companies and increasingly any company works these days. So it isn't a surprise it isn't going anywhere. You'll likely need to cough up a number at least for "verification" anyway (since they want it) so they'll probably just use that for account recovery to while they're at it to make their lives easier.