HN Reader

SMS 2FA is not just insecure, it's also hostile to mountain people

412

314

> other options available to her include

> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi

That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).

I really wish that were illegal. A phone number is a phone number.

> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.

Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.

1 month agoby lxgr

She just needs a microcell/femtocell.

Talk to your provider, explain to them you get poor service at your home or place of work, and they'll send you a free Internet-in cellular-out radio AP. She doesn't need a tower-based booster if she's got fiber/cable/DSL, those only serve to amplify weak signals and she's too many miles and too many mountain ridges away from the nearest tower, she wants something with RJ-45 input, a little GPS antenna so the cell supports e911 location data, and it will broadcast LTE (or now 5g) cellular data.

I work at a shop with metal walls located in a river valley. It's a cellular data black hole. People used to climb the hill up the driveway to make and take calls, but various people called their ATT, Verizon, and T-Mobile providers and all three shipped us femtocells. Mow the users and the contractors/customers who come to visit can't even tell that their phones have switched to data over our ISP instead of a tower, it just works - including 2FA codes and MVNOs.

She may have to switch to first-party Verizon service instead of using an MVNO.

1 month agoby LeifCarrotson

Some of the comments pointed out that this is hostile behaviour for people roaming as well, and I completely agree. Here is my solution for this : When I am roaming internationally, I leave my SIM card in a spare android at home plugged into a charger. Android has an app that forwards SMS to API : https://f-droid.org/packages/tech.bogomolov.incomingsmsgatew.... Every time I receive a SMS I forward it to this API. The API in turn emails me the whole message.

I have been using this setup for a few years now without any issues. Even when I am not roaming, I still have this setup on my primary phone. So when I am on my computer and need a SMS OTP I don't need to go find my phone, I receive it in email :-).

(Note : This doesn't work with MMS but I don't need them anyway)

1 month agoby nelblu

Google Fi can receive all SMS 2 factor messages on Wi-Fi including short codes. It doesn't even require that your phone is on, you can get them in any web browser on any device even if your phone is destroyed. One of my favorite features.

You can get service starting at $20 per month. Fi used to have good service in some mountain areas too, with US Cellular. Not sure what's going on with US Cellular right now though. Some kind of half acquisition by T-Mobile.

1 month agoby modeless

Something somewhere is always hostile to particular group. That's just facts of life. You do your best to minimize but can never eliminate it.

As someone who has dealt with 2FA support, all the methods suck.

SMS 2FA is least secure but has broadest support with quickest recovery method.

TOTP Applications (Google Auth, Authy, iOS Passwords) is more secure but people switch phones, lose phones and so forth and recovery is always a nightmare.

Yubikey and like have cost problem and you still have recovery problem.

A clear solution in my mind is having the Federal Government run some form of centralized hardware based system where hardware could be replaced by government office after verifying identity. Government does this already for DoD CaC cards. However, in the United States, Privacy Advocates would lose their minds, and funding would constantly be under attack.

So yea, I get SMS 2FA is hostile to mountain people but 2FA is hostile to login services and executive yachts.

1 month agoby stackskipton

Much agreement with the others that there's too much expectation. I rented a lime scooter for the first time last year. But, I messed up my VPN settings so I had no Internet. There was no way to tell the scooter I'm done. Even though it was stopped, no button to end the ride. They refunded me the extra time (which was maybe 5 of the 10 minutes) because they could see it was just stopped at a bike rack on gps. Idk what I'd do if my phone died or any other reasonably possible things when you're out and about and on a scooter.

1 month agoby Neywiny

TOTP, HOTP.

SMS needs your number, your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.

1 month agoby Calwestjobs

1. Download the Google Voice app. This phone number works for some but not all 2FA services. Not all, because some explicitly forbid GV numbers because they're afraid of fraud. GV can receive SMS messages over wifi.

2. Ask the cell phone company for a femtocell. These used to be called "AT&T Microcells" and they were cheap. I used one before cell service improved because I live in the mountains. But apparently AT&T don't make them any more and now they cost $2500.

https://www.waveform.com/products/verizon-network-extender-f...

3. Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal; I use it because I find it easier to use my laptop keyboard to type SMS messages than to use my thumbs on my phone.

1 month agoby dreamcompiler

TOTP are okay for some things but often regulation means each code/challenge needs to be tied to a specific action. TOTP codes typically last for 30s and mulitple actions can happen within 30s, so it's not possible to use TOTP in many cases.

PUSH approval could be used instead but then you need to download an app for every service you use, which isn't very convenient.

PASSKEYS offer a solution which will work on both web and mobile and don't require you to download an app for every service. But it's a new concept that people need to learn so how fast they will be adopted is yet to be seen.

1 month agoby brettanomyces

Oh, this happens to me. I didn’t even realize that’s why I wasn’t receiving some sms codes, because sometimes it works and sometimes it doesn’t. I live in a rural area and have spectrum for both wifi and mobile (just like the woman in the article). I have some cell service, but depending on how strong it is in any given day am usually relying on wifi for calling and sms.

SMS codes have been hit or miss, and this explains it well.

1 month agoby kaikai

This made me wonder whether it would be possible to build a Wi-Fi-only, roaming-only carrier for computers.

Your carrier is already capable of redirecting your SMS messages to other carriers, that's what they do when you're abroad and roaming with a foreign operator. You could make a fake carrier that speaks the right protocols on the roaming side, but communicates with the customer over the internet (using an API or a proprietary app) instead of LTE or GSM.

This would essentially work like an SS7 redirection attack, but with the full knowledge and consent of the "victim." You could alleviate the security impact here by requiring SIM card authentication, just like a normal carrier does, which could be performed through the internet and an USB reader just fine.

Carriers would probably hate this and might not be willing to sign roaming agreements with such a company. I wonder whether a gray-hat route would be possible here, especially if the company was outside US jurisdiction.

1 month agoby miki123211

I remember in 2014 going to play a Bitcoin poker game at some Google VP's house way up in the hills, Charlie Lee was there. We tried to buy-in at the beginning to a pot address but no one could get their Coinbase SMS 2FA to work because we had no reception so we ended up writing IOUs on scraps of paper.

1 month agoby jboggan

Along the same lines, am I the only one who thinks it's weird that when logging in on a desktop PC the average bank requires a:

- username

- password

- one time generated 16 digit number

- SMS confirmation

- email confirmation

- phone call with an associate

- retinal scan

- DNA sample

Whereas to log in on mobile all you potentially need is a 4 digit pin which a passerby could easily observe, then yank the phone from your hand?

1 month agoby moffkalast

Where does the trend of not capitalizing the first word in a sentence in techie blog posts come from?

1 month agoby clircle

> you have to download an app to do it, it's not just a capability that a phone has by default

Luckily this is starting to change. Apple's Passwords app does TOTP out of the box.

Though I am mystified why Google Authenticator doesn't come pre-installed in Android.

1 month agoby swiftcoder

If cell service is available in at least one area of the property, you could have a dedicated sim for receiving SMS 2FA and use a 4G router to forward the SMS to an email, e.g. Teltonika have this functionality [1].

The 4G router also has the benefit of being able to use externally mounted antennas. Which might help in low signal areas.

Not ideal, but might at least be a solution for some people.

[1]: https://wiki.teltonika-networks.com/view/SMS_Forwarding_Conf...

1 month agoby vanburen

The point of SMS 2FA is not security and never has been.

The point of SMS 2FA is tracking.

It's to force you to give them your phone number, for their own marketing, but also selling your customer profile to companies like Palantir.

This also makes the government happy, because they can scoop up your SMSs and they get a nice handy list of every service you use which makes warrants easier, but also gives them info about when you log in or do other actions on those accounts.

SMS 2FA costs these companies far more than TOTP would, but they still use SMS 2FA. That tells you everything you need to know...

1 month agoby KennyBlanken

I remember running in to this problem in university too where one of the basement lab rooms didn't have cell service, but we had to log in to the school computers with our university accounts that had mandatory 2fa

also was surprised to learn from the article that some carriers don’t support the 2fa 5 digit numbers over wifi calling/sms. when I travelled abroad recently that was such a life saver since my carrier supports it

1 month agoby jedbrooke

This is a problem with her carrier or her specific account provisioning. SMS over WiFi calling works just fine, including from short codes.

I'm often traveling outside of the US, and my AT&T prepaid line most definitely does not roam outside of CAN/US/MEX. I spend the bulk of my time in WiFi calling mode. I have never had any issues receiving or sending SMS over WiFi, including to short codes.

1 month agoby dwood_dev

"it turns out messages from 5 digit shortcodes often aren't supported over wifi calling."

This does not seems plausible. I live in urban area but do not have good cellural connection at home and my mobile phones are usually route calls via home Wifi. All SMS come through. It is just a low-lever transport and I doubt it cares about message size or numbers.

1 month agoby vzaliva

I wonder what the companies requiring 2FA think about uncompleted 2FA bounces. Deterred fraudster? Short attention span? SMS sucks?

1 month agoby tlb

TOTP might not be perfect, but they don't need networking. There's absolutely no reason a third-party or the server needs to maintain a source of secrets on demand needing to be sent over a network when the user can maintain an offline-capable 2FA generator themselves.

I'm not sold yet on non-portable, proprietary passkeys.

1 month agoby burnt-resistor

She should switch cell phone providers. I’ve never had a problem receiving 2FA SMS from five digit numbers over WiFi, and heavily rely on it working. I know this for sure because I have an automation set to put my phone in airplane mode + wifi when I get home. (It eats battery when there’s a weak 5g signal.)

SMS 2FA is terrible though.

1 month agoby hedora

i did some digging, and it turns out messages from 5 digit shortcodes often aren't supported over wifi calling. sometimes they are, but in her case they're clearly not.

This seems like a rather specific problem that isn't related to mountain people as such but services blocking "shortcodes" apparently for a variety of reasons. It is true that text and call reliability is becoming a real problem generally where you have these authentication issues. I myself in the mountains and have dealt with reliability issues.

Here's a discussion of this specific problem with T-mobile: https://www.reddit.com/r/tmobile/comments/ardcnc/aargh_final...

1 month agoby joe_the_user

This is a really good point, "cell service will always be available" is a classic incorrect assumption that needs to be shattered. I do kinda wonder what the correct way forward is, I think it's silly that ISPs don't support this type of SMS over wifi but I have no clue why. Meanwhile TOTP apps are rightly pointed out to be too numerous with unclear trade offs, I'm surprised ios and android don't have native TOTP apps (afaik).

As an aside, I hate the nuance-less "SMS 2FA is insecure" line. It's the weakest 2FA form for sure, but it's still so much better than not having 2FA. Even if you support multiple options depending on your product it may very well make sense to stick with SMS as the default to reduce friction.

1 month agoby some_random

I have garbage cell signal in my house, was only an issue for sending/receiving large pictures/video's over iMessage, apparently those don't send over WiFi for some unknown reason as well... I called Verizon and they sent me a Fem2Cell, problem solved.

1 month agoby hkchad

1. 2FA over SMS is only $23 away from a compromised phone service

2. People love binding individual accounts to specific IP addresses, and large marketing firms especially like websites that use free DNS service to quietly track said users across the session

3. Much like DRM, the account auto constrains a single user to a single IP. Makes sense... unless you run a business account with a dozen people clearing a shared inbox

4. SMS inbox phone numbers are $2.75, and that requirement is bypassed if the company smartphone hardware/emulation is in use for account "recovery"

5. SIM hijacking and email server snooping is far more common than people like to admit

6. People feel safer, but it only increases the CVE difficulty level slightly above third world skill levels

This is why we can't have nice things =3

1 month agoby Joel_Mckay

I had this problem a couple years back, when I was living in a small coastal town where cell service was spotty. Generally I could either be in a place where I could receive text messages, or a place where I could get access to wifi, but not both at the same time. When I wanted to get into my bank website, I would drive 20 minutes up the road to the next, slightly less small town, where I could get wifi and receive SMS, then drive back when I was done.

If I had stayed there longer, I might have found a better solution for my personal situation, but the experience as it was left me pretty uncomfortable with mandatory SMS 2FA as a general security tool. I'm sure there are many other people running into similar edge-cases.

1 month agoby marssaxman

I've read a fair number of cases where sim-swapping led to account hacks when the providers got talked into resetting passwords. It happened to a friend of mine. So I would say SMS 2FA is more hostile to people who are able to use it.

1 month agoby DennisP

This is a niche article, where it reads as though the SMS 2FA messages started coming through right as the lady purchased a cell service. Well the lady would have needed to have activated 2FA first and walked away from the house to even enable it.

Then goes on to say that TOPT is also too difficult, firstly because you have to download an app to do it, yet she supposedly knows how to use her phone.

There will always be edge cases where something doesn't work perfectly the way it does for everyone else. The solution here seems to be help her choose a TOPT app, print out those backup codes and be done with it.

1 month agoby NoPicklez

Great points.

> and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default. and then when trying to find an app to use for it, you're presented with a multitude of high-stakes choices, and often pretty technical explanations if you start internet searching about which app to use.

A reminder that mandatory iOS App Store / Android Play Store / (Xiaomi store ???) is even less acceptable than SMS 2FA unless maybe you're a USA(/Chinese) citizen living in USA(/China).

1 month agoby BlueTemplar

Sounds like discrimination of a broad group of people. Granted, it's not a designated protected group, like by national origin, but I still think they have a good chance in court.

1 month agoby deepsun

> and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default

iOS Passwords can serve as your TOTP authenticator app.

https://support.apple.com/guide/iphone/automatically-fill-in...

1 month agoby nicwolff

At this point it's pretty clear 2FA SMS is just a ploy to get PII customer data under the guise of security

1 month agoby declan_roberts

"Wi-Fi calling" (LTE over IP over wifi) often allows you to get SMS messages over wifi only, on an ordinary cell plan: https://support.apple.com/en-us/108066 (Android supports it too)

1 month agoby zkms

The part that was interesting to me in this article was that companies could somehow detect that the lady had a cellphone when previously the 2FA thing hadn't been a problem for her. I wonder if this was just poor timing or if places like financial institutions actually get an alert.

1 month agoby novia

SMS 2FA is also quite expensive. In the US it's $0.0083 per SMS, which at bulk is going to add up quickly. Even before the war started, it was $0.70 to send an SMS to Russia. And then there's the premium SMS line fraud that's led to massive bills for some companies.

1 month agoby kyledrake

Perhaps there’s a B2C offering to be made here. An SMS proxy, forwarding 2FA codes to people without SMS.

It would require a lot of trust.

Similar and related discussions on this post:

https://news.ycombinator.com/item?id=43976359

1 month agoby Meleagris

Isn't SMS 2FA immune to SIM swapping attacks when the SIM is an unregistered PAYG one?

i.e. there is no way to contact the carrier and get the number reassigned to a new SIM unless one first registers the SIM, and hence binds the number to a known identity.

1 month agoby dfawcus

It's not just people who live in the mountains that have this problem. People who do a lot of international travel see it too. There is absolutely no reliable way to predict the circumstances under which I will be able to receive an SMS.

1 month agoby lisper

Hey! I'm interested in that local AVL signal group. I've lived here for 6 years and I haven't met any friends because I'm a recluse with children. If you'd be willing to share, I would be greatly appreciative. :D

1 month agoby Peacefulz

Sms 2fa is also really annoying for travellers that don't use roaming

1 month agoby fersarr

Voip.ms is fairly inexpensive (a couple dollars per month) and if you get an SMS-capable line you can set it up to forward incoming SMS to email. Edit: I have not tested it with short codes

1 month agoby KerbalNo15

Why does SMS need a cell tower booster but the internet router doesn't need a cell tower booster? SMS will be much less bandwidth so it should be easier to receive than a whole web page.

1 month agoby charcircuit

SMS 2FA was only invented so govt. can access all of your accounts without having to know your password.

Check your service password reset flow – is it a phone number input? It was 1FA all along.

1 month agoby gloosx

I exclusively use wifi calling because my home doesn't have cellular coverage, and have never once had issues getting SMS codes delivered. Seems like a provider issue on her end.

1 month agoby paxys

The article does not support the title in my opinion. This has little to do with living in a mountain but more having an ISP that doesn’t support a lot of default telco functionality.

1 month agoby apexalpha

Newer phones offer free satellite texting, so that should solve their problem.

1 month agoby b8

In Israel some providers started to offer code in WhatsApp (for example credit card companies). This ensures that if you don’t have access to your phone number (for example: abroad) you won’t be locked out of your phone while implementing the same security mechanism

1 month agoby iddan

Trying removing consent to receive text messages on that number, or that it's only a land line and only phone calls are accepted.

You might even try to block incoming SMS. In fact, you might also try a forward with Twilio or free Google voice number, since a lot of SMS TOTP refuse to with with those numbers :)

I've even had success removing my phone number entirely from certain types of accounts, but sometimes I had to deliberately break the account (eBay) and then it tries to get you to confirm on each login which you can sometimes bypass by changing the URL or clicking the company logo.

Be sure to have strong security in other ways; strong, non repeated passwords.

But this is truly insane. Large banks don't even offer the option of TOTP but instead require far more insecure SMS. Maybe they'll offer RSA dongles, because they never bothered to remember when they all got completely leaked ten years ago or how they accepted $10M to completely compromise their constants.

What can you say, large enterprises are behind the security eight ball, as always! It's a tale as old as time.

https://www.wired.com/story/the-full-story-of-the-stunning-r...

https://www.theverge.com/2013/12/20/5231006/nsa-paid-10-mill...

1 month agoby _hyn3

Wish I could upvote this 20 more times. Very true thank you for this.

1 month agoby rc_mob

How hard would it be for them(company) to use the Signal app for 2FA?

1 month agoby vaadu

I travel constantly and this is a HUGE issue for me. It used to work with VOIP but now everyone wants to make sure they have maximum sellable data so they require mobile numbers. Also, clownworld security, which is totally bunk as an excuse on this.

1 month agoby K0balt

Meh. SMS basically has the same problems as capability URLs for password resets. Sure, Mail is usually TLS encrypted these days, but they are still not regarded as secret.

That said, I still would prefer both over another shitty authenticator app that really gets on my nerves.

Additionally, I would like an option toggle with "Yes, I do have a safe and uncompromised password", where I can get rid of this crap.

Some 2FA systems do work if they don't ask more than once a month, but they are the exception.

1 month agoby raxxorraxor

Why can’t people take the time to use grammar correctly? This post is illegible.

1 month agoby malcolmgreaves

Nice article, although I despise the "lowercase only" affectation that so many of us techies pass through. Capitalising the first letter in a sentence is a courtesy to the reader, not a stylistic choice you should impose to make yourself feel special.

1 month agoby gusfoo

Not only SMS 2FA, but in the past maybe couple years, many sites have been making their logins worse in many ways.

For example, I'm actually liking Walmart.com more than Amazon in some ways lately, but logging into Walmart.com takes minutes while I wait for the 2FA after I already password authenticate. So Amazon wins all the casual browsing and impulse sales, and by the time I do log in to Walmart.com, it's only because I know I want to order something from there specifically, and it's already feeling tedious.

Some off-the-cuff suggestions, since the worsening authentication experience really bugs me:

1. Present the email/username and password fields simultaneously, so the browsers like Firefox can fill out both fields. (A lot of site have started showing only the email/username to start, and also making that rely on non-login form field filling. And only after you type in your admin/email, because you don't form autofill in general, does it present

2. After user opts to authenticate with a password rather than SMS/email code, let them in, unless you're something like a bank or a medical provider. (Don't then make them do the SMS/email code anyway.)

3. If your mega online store handles HIPAA-sensitive data for some small percentage of visits, and you need 2FA for that, maybe only do the 2FA to upgrade the authentication confidence for session. (Or maybe the more sensitive data is on a different backend anyway, so as not to encumber all the developers implementing Wheaties logistics, with all the additional protections that are needed for medical records, nor to add additional weak links leading to leaks.)

4. When SMS/email 2FA is really necessary, send it immediately and reliably, and make it copy&pasteable. (Sometimes I wait minutes, and other times it doesn't come through at all. And I've even gotten email ones where competent-user text-selection picks up whitespace somehow, or even a weird unprintable Unicode character, which breaks the code entry when pasted.)

5. Those buttons to authenticate a variety of other sites are needlessly leaking information, and creating additional ways to compromise the account. (That's what you do if you want to reduce friction to first visits to your site, for which people aren't interested enough to create a password to use -- but not for logins from recurring customers.)

6. Don't prompt for "remember this browser?", and don't otherwise rely on the persistent tracking data deposited on the user's browser, across explicit authentication sessions, such as to decide whether to 2FA. For one reason, those persistent data mechanisms are overwhelmingly for shady abuse by the adtech/surveillance industry in shady ways, and are frequently cleared by privacy-conscious users. Any why is a bank, for example, complicating the UI, to ask ordinary users whether to lower their authentication security on this device, and expecting much sense out of that at all. Keep it simpler, more secure, and more responsible or respectable.

7. If you must support 2FA, make TOTP an option. And not TOTP-incompatible codes that requires installing your app, or that depends on some oddball third-party proprietary authenticator app/fob that seemed like a good idea at the time but is not a reason not to support TOTP. (You can still grandparent in the legacy proprietary 2FA, for those long-time users who've been using it, and be clever about not complicating the UI for those those dwindling users, nor for the increasing users using the more current open standard.)

1 month agoby neilv

Mountain people and anyone who goes abroad, where they use a different SIM card.

People who perpetrate SMS 2FA are pure scum.

1 month agoby kazinator

Not only mountain people, try staying in Wales or inner parts of London, good luck receiving your 2FA code.

1 month agoby kawsper

Can we just go back to having passwords please. I hate this state of authentication on the web.

1 month agoby andoando

When you choose an eccentric lifestyle you should accept the loss of certain features.

1 month agoby jaoane