HN Reader

> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi

That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).

I really wish that were illegal. A phone number is a phone number.

> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.

Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.

Talk to your provider, explain to them you get poor service at your home or place of work, and they'll send you a free Internet-in cellular-out radio AP. She doesn't need a tower-based booster if she's got fiber/cable/DSL, those only serve to amplify weak signals and she's too many miles and too many mountain ridges away from the nearest tower, she wants something with RJ-45 input, a little GPS antenna so the cell supports e911 location data, and it will broadcast LTE (or now 5g) cellular data.

I work at a shop with metal walls located in a river valley. It's a cellular data black hole. People used to climb the hill up the driveway to make and take calls, but various people called their ATT, Verizon, and T-Mobile providers and all three shipped us femtocells. Mow the users and the contractors/customers who come to visit can't even tell that their phones have switched to data over our ISP instead of a tower, it just works - including 2FA codes and MVNOs.

She may have to switch to first-party Verizon service instead of using an MVNO.

I have been using this setup for a few years now without any issues. Even when I am not roaming, I still have this setup on my primary phone. So when I am on my computer and need a SMS OTP I don't need to go find my phone, I receive it in email :-).

(Note : This doesn't work with MMS but I don't need them anyway)

2. Ask the cell phone company for a femtocell. These used to be called "AT&T Microcells" and they were cheap. I used one before cell service improved because I live in the mountains. But apparently AT&T don't make them any more and now they cost $2500.

https://www.waveform.com/products/verizon-network-extender-f...

3. Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal; I use it because I find it easier to use my laptop keyboard to type SMS messages than to use my thumbs on my phone.

This does not seems plausible. I live in urban area but do not have good cellural connection at home and my mobile phones are usually route calls via home Wifi. All SMS come through. It is just a low-lever transport and I doubt it cares about message size or numbers.

SMS codes have been hit or miss, and this explains it well.

Then goes on to say that TOPT is also too difficult, firstly because you have to download an app to do it, yet she supposedly knows how to use her phone.

There will always be edge cases where something doesn't work perfectly the way it does for everyone else. The solution here seems to be help her choose a TOPT app, print out those backup codes and be done with it.

also was surprised to learn from the article that some carriers don’t support the 2fa 5 digit numbers over wifi calling/sms. when I travelled abroad recently that was such a life saver since my carrier supports it

As an aside, I hate the nuance-less "SMS 2FA is insecure" line. It's the weakest 2FA form for sure, but it's still so much better than not having 2FA. Even if you support multiple options depending on your product it may very well make sense to stick with SMS as the default to reduce friction.

I'm often traveling outside of the US, and my AT&T prepaid line most definitely does not roam outside of CAN/US/MEX. I spend the bulk of my time in WiFi calling mode. I have never had any issues receiving or sending SMS over WiFi, including to short codes.

SMS 2FA is terrible though.

iOS Passwords can serve as your TOTP authenticator app.

https://support.apple.com/guide/iphone/automatically-fill-in...

The point of SMS 2FA is tracking.

It's to force you to give them your phone number, for their own marketing, but also selling your customer profile to companies like Palantir.

This also makes the government happy, because they can scoop up your SMSs and they get a nice handy list of every service you use which makes warrants easier, but also gives them info about when you log in or do other actions on those accounts.

SMS 2FA costs these companies far more than TOTP would, but they still use SMS 2FA. That tells you everything you need to know...

> and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default. and then when trying to find an app to use for it, you're presented with a multitude of high-stakes choices, and often pretty technical explanations if you start internet searching about which app to use.

A reminder that mandatory iOS App Store / Android Play Store / (Xiaomi store ???) is even less acceptable than SMS 2FA unless maybe you're a USA(/Chinese) citizen living in USA(/China).

SMS needs your number, your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.

As someone who has dealt with 2FA support, all the methods suck.

SMS 2FA is least secure but has broadest support with quickest recovery method.

TOTP Applications (Google Auth, Authy, iOS Passwords) is more secure but people switch phones, lose phones and so forth and recovery is always a nightmare.

Yubikey and like have cost problem and you still have recovery problem.

A clear solution in my mind is having the Federal Government run some form of centralized hardware based system where hardware could be replaced by government office after verifying identity. Government does this already for DoD CaC cards. However, in the United States, Privacy Advocates would lose their minds, and funding would constantly be under attack.

So yea, I get SMS 2FA is hostile to mountain people but 2FA is hostile to login services and executive yachts.

The 4G router also has the benefit of being able to use externally mounted antennas. Which might help in low signal areas.

Not ideal, but might at least be a solution for some people.

[1]: https://wiki.teltonika-networks.com/view/SMS_Forwarding_Conf...

- username

- password

- one time generated 16 digit number

- SMS confirmation

- email confirmation

- phone call with an associate

- retinal scan

- DNA sample

Whereas to log in on mobile all you potentially need is a 4 digit pin which a passerby could easily observe, then yank the phone from your hand?

It would require a lot of trust.

Similar and related discussions on this post:

https://news.ycombinator.com/item?id=43976359

You can get service starting at $20 per month. Fi used to have good service in some mountain areas too, with US Cellular. Not sure what's going on with US Cellular right now though. Some kind of half acquisition by T-Mobile.

Luckily this is starting to change. Apple's Passwords app does TOTP out of the box.

Though I am mystified why Google Authenticator doesn't come pre-installed in Android.

This seems like a rather specific problem that isn't related to mountain people as such but services blocking "shortcodes" apparently for a variety of reasons. It is true that text and call reliability is becoming a real problem generally where you have these authentication issues. I myself in the mountains and have dealt with reliability issues.

Here's a discussion of this specific problem with T-mobile: https://www.reddit.com/r/tmobile/comments/ardcnc/aargh_final...

PUSH approval could be used instead but then you need to download an app for every service you use, which isn't very convenient.

PASSKEYS offer a solution which will work on both web and mobile and don't require you to download an app for every service. But it's a new concept that people need to learn so how fast they will be adopted is yet to be seen.

2. People love binding individual accounts to specific IP addresses, and large marketing firms especially like websites that use free DNS service to quietly track said users across the session

3. Much like DRM, the account auto constrains a single user to a single IP. Makes sense... unless you run a business account with a dozen people clearing a shared inbox

4. SMS inbox phone numbers are $2.75, and that requirement is bypassed if the company smartphone hardware/emulation is in use for account "recovery"

5. SIM hijacking and email server snooping is far more common than people like to admit

6. People feel safer, but it only increases the CVE difficulty level slightly above third world skill levels

This is why we can't have nice things =3

Your carrier is already capable of redirecting your SMS messages to other carriers, that's what they do when you're abroad and roaming with a foreign operator. You could make a fake carrier that speaks the right protocols on the roaming side, but communicates with the customer over the internet (using an API or a proprietary app) instead of LTE or GSM.

This would essentially work like an SS7 redirection attack, but with the full knowledge and consent of the "victim." You could alleviate the security impact here by requiring SIM card authentication, just like a normal carrier does, which could be performed through the internet and an USB reader just fine.

Carriers would probably hate this and might not be willing to sign roaming agreements with such a company. I wonder whether a gray-hat route would be possible here, especially if the company was outside US jurisdiction.

i.e. there is no way to contact the carrier and get the number reassigned to a new SIM unless one first registers the SIM, and hence binds the number to a known identity.

If I had stayed there longer, I might have found a better solution for my personal situation, but the experience as it was left me pretty uncomfortable with mandatory SMS 2FA as a general security tool. I'm sure there are many other people running into similar edge-cases.

I'm not sold yet on non-portable, proprietary passkeys.

You might even try to block incoming SMS. In fact, you might also try a forward with Twilio or free Google voice number, since a lot of SMS TOTP refuse to with with those numbers :)

I've even had success removing my phone number entirely from certain types of accounts, but sometimes I had to deliberately break the account (eBay) and then it tries to get you to confirm on each login which you can sometimes bypass by changing the URL or clicking the company logo.

Be sure to have strong security in other ways; strong, non repeated passwords.

But this is truly insane. Large banks don't even offer the option of TOTP but instead require far more insecure SMS. Maybe they'll offer RSA dongles, because they never bothered to remember when they all got completely leaked ten years ago or how they accepted $10M to completely compromise their constants.

What can you say, large enterprises are behind the security eight ball, as always! It's a tale as old as time.

https://www.wired.com/story/the-full-story-of-the-stunning-r...

https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-mill...

People who perpetrate SMS 2FA are pure scum.

That said, I still would prefer both over another shitty authenticator app that really gets on my nerves.

Additionally, I would like an option toggle with "Yes, I do have a safe and uncompromised password", where I can get rid of this crap.

Some 2FA systems do work if they don't ask more than once a month, but they are the exception.

Check your service password reset flow – is it a phone number input? It was 1FA all along.

For example, I'm actually liking Walmart.com more than Amazon in some ways lately, but logging into Walmart.com takes minutes while I wait for the 2FA after I already password authenticate. So Amazon wins all the casual browsing and impulse sales, and by the time I do log in to Walmart.com, it's only because I know I want to order something from there specifically, and it's already feeling tedious.

Some off-the-cuff suggestions, since the worsening authentication experience really bugs me:

1. Present the email/username and password fields simultaneously, so the browsers like Firefox can fill out both fields. (A lot of site have started showing only the email/username to start, and also making that rely on non-login form field filling. And only after you type in your admin/email, because you don't form autofill in general, does it present

2. After user opts to authenticate with a password rather than SMS/email code, let them in, unless you're something like a bank or a medical provider. (Don't then make them do the SMS/email code anyway.)

3. If your mega online store handles HIPAA-sensitive data for some small percentage of visits, and you need 2FA for that, maybe only do the 2FA to upgrade the authentication confidence for session. (Or maybe the more sensitive data is on a different backend anyway, so as not to encumber all the developers implementing Wheaties logistics, with all the additional protections that are needed for medical records, nor to add additional weak links leading to leaks.)

4. When SMS/email 2FA is really necessary, send it immediately and reliably, and make it copy&pasteable. (Sometimes I wait minutes, and other times it doesn't come through at all. And I've even gotten email ones where competent-user text-selection picks up whitespace somehow, or even a weird unprintable Unicode character, which breaks the code entry when pasted.)

5. Those buttons to authenticate a variety of other sites are needlessly leaking information, and creating additional ways to compromise the account. (That's what you do if you want to reduce friction to first visits to your site, for which people aren't interested enough to create a password to use -- but not for logins from recurring customers.)

6. Don't prompt for "remember this browser?", and don't otherwise rely on the persistent tracking data deposited on the user's browser, across explicit authentication sessions, such as to decide whether to 2FA. For one reason, those persistent data mechanisms are overwhelmingly for shady abuse by the adtech/surveillance industry in shady ways, and are frequently cleared by privacy-conscious users. Any why is a bank, for example, complicating the UI, to ask ordinary users whether to lower their authentication security on this device, and expecting much sense out of that at all. Keep it simpler, more secure, and more responsible or respectable.

7. If you must support 2FA, make TOTP an option. And not TOTP-incompatible codes that requires installing your app, or that depends on some oddball third-party proprietary authenticator app/fob that seemed like a good idea at the time but is not a reason not to support TOTP. (You can still grandparent in the legacy proprietary 2FA, for those long-time users who've been using it, and be clever about not complicating the UI for those those dwindling users, nor for the increasing users using the more current open standard.)