| It mostly doesn't make sense, unless used exclusively as second factor, never only factor. - phone verification: OK, but this wasn't about that, and having to have phone numbers in a database means you're maintaining PII, which is a liability, see regulator-related story below. - mobile login (think dating apps): should be passkey, sign in with Google/Apple, or oauth of users' choice, see Twitter story below - two factor where other factors are not available: in the case of SMS this actually means for two ways to get into the account, not two factor, see IsSMS2faSecure slides below. SMS is an anti-pattern, generally less secure than a good password (something you don't even need to know w/ passkey) and biometrics (something you have/are) as it opens your threat model up to anyone with social engineering skills to take over your account (something anyone can do). This was demonstrated dramatically a few years back by a research team calling the phone companies and being 100% successful on major carriers. The slides here are eye opening if you're thinking SMS is a good idea: https://www.issms2fasecure.com https://www.usenix.org/system/files/soups2020-paper16-slides... We have the $400M FTX sim swap and this year the SEC's sim swap to remind us nobody is immune when SMS is at play, and people can't claim to not know about it since it's now widely covered: The FTX case highlights a growing awareness among prosecutors and regulators of the ease and prevalence of SIM swap schemes. Reading the Powell indictment is not unlike reading one of the hundreds of credit card theft indictments that federal and state prosecutors pursue each year. As far as frauds go, SIM swapping is low-cost, unsophisticated, and rote. But, if you’re a criminal, it works. SIM swapping works largely as the result of vulnerabilities in the telecom’s anti-fraud and identification protocols, and as the result of relatively weak anti-fraud and identification verification procedures used as the default for all too many online service providers, including financial services firms. https://www.coindesk.com/consensus-magazine/2024/02/12/the-f... https://finance.yahoo.com/news/sec-blames-sim-swap-attack-fo... https://www.theguardian.com/money/2024/feb/19/sim-swap-how-y... It keeps getting worse: "US insurance firms sound alarm after 66,000 individuals impacted by SIM swap attack" https://www.bitdefender.com/blog/hotforsecurity/us-insurance... Bottom line, and putting this "global user" story to bed, if Twitter can dump SMS across emerging markets (not a lot of blue checkmark subscribers), so can everyone: https://techcrunch.com/2024/01/23/x-adds-support-for-passkey... All that said, @andix is correct in that if you're going to use it, you must not allow password resets or account takeovers with SMS. SMS must be strictly second factor, never "only factor": https://news.ycombinator.com/item?id=39467039 |
Phone numbers are excellent PII for user tracking though AND allow companies to dump a lot of the hard support work on some one else. Gobbling up PII to sell and externalizing the hard support stuff to some one else is how tech companies and increasingly any company works these days. So it isn't a surprise it isn't going anywhere. You'll likely need to cough up a number at least for "verification" anyway (since they want it) so they'll probably just use that for account recovery to while they're at it to make their lives easier.