[fasteo]

>>> I really wish that were illegal. A phone number is a phone number.

European speaking. For completeness:

Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)

Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.

I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)

[1] https://en.wikipedia.org/wiki/Payment_Services_Directive

[watermelon0]

Anon SIM cards are still allowed in some EU countries: https://prepaid-data-sim-card.fandom.com/wiki/Registration_P...

[wkat4242]

Yes in the Netherlands they're still anonymous

[lisper]

> anon SIM are no longer allowed in the EU

Ah. That explains why they asked for my life history when I tried to buy a local SIM in Italy.

[lxgr]

Ironically, this is only true for prepaid SIMs. As a result, in some EU countries it's easier to get a month-by-month postpaid plan – sometimes there's no KYC at all for these...

[stogot]

When did this change happen? I’ve done local SIM prepaid all over Europe over the past decade, but not so much recently

[wkat4242]

It didn't. It's still up to each country. There's still several without mandatory registration.

[dfawcus]

> anon SIM are no longer allowed in the EU

Surely Ireland still allows them? If not, they're trivial to source from NI.

[wkat4242]

Yes the problem with UK ones though is that they route all the traffic through a prude proxy if you don't register. Because the UK is getting back to the Victorian era.

I had a SIM from three Ireland that tried to apply this UK policy also on the republic of Ireland customers where this is not required. It was unusable, it blocked pretty much everything it didn't recognise like VPNs, even email servers. Luckily there's many sane providers there too. And no they don't require registration.

[exabrial]

> SMS is the only 2FA method that can be easily deployed at scale

No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.

[kgen]

What's the theater with sms 2fa? That is more secure than not having it enabled no?

[terribleperson]

Possibly less secure, considering the existence of sim-cloning crime rings. SMS 2-factor potentially gives a hostile actor a way to 'prove' that they're you.

[genevra]

What's the actual method that can be easily deployed at scale then?

[iamjackg]

I'd argue that there isn't one: you have to offer multiple choices. Auth through any TOTP app, Yubi key, pre-generated codes, mailing a physical code generator, etc.

[afiori]

Email + SMS + generic time-based OTP seems quite enough for imho

[lxgr]

> Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)

I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.

And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...

> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.

The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)

> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)

All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s