How can techies influence companies to stop implementing SMS/phone 2FA

This is the most naive take on HN. The only secure computer is one that's been unplugged and buried in six feet of concrete, everything after that is a compromise

The real world security issues that companies face are things like:

  - users that re-use tiny passwords written on post-it note that's attached to their monitor
  - regulated industries that don't allow them to actually lock a user out, which causes leaky social engineering flows for their help centers
  - users that constantly forget their passwords, and have terrible forgotten password questions/answers
  - passwords they share with a friend/partner, that they then have a falling out with

The reason SMS 2FA is popular, is because the average use case is that the user's (reused and/or weak) password was captured somewhere, and this protects the user from simple attacks to their account where the password is known. It's just like the pin code for most modern smartphones: just secure enough to keep the average person out if their phone is lost or stolen

"But Joe, having a more secure system isn't that much harder on the user and is infinitely more secure". I promise you, it is that much harder. Most users can barely understand/handle SMS 2FA. Remember, we have to force users to not use trivially simple passwords like 'password'. Shoot, companies like AOL still derive monthly subscription fees because it's too hard for people to figure out how to change email providers

The thing is, SMS 2FA is still way better than no 2FA and users are more likely to use it since it requires very little effort on their part.

Having to scan a QR code is too much friction compared to just asking for their phone number which will then send a code that a modern phone OS will then be able to autofill all without leaving the app and going into the messages app to retrieve that code.

Edit: I have 4 YubiKeys and a Ledger Nano S that I use for critical services, such as my Google accounts and domain registrar, and I _still_ use SMS 2FA out of laziness for most services.

Techies can best influence by understanding why sms otp is popular and come up with something better.

Not only do you need to understand what shortcoming sms has, but non cynically understand why other solutions are worse.

Losing access to a phone means losing access to your TOTP codes as well. So that's no different than losing access to SMS.

TOTP codes can be shared between multiple devices - which makes them less unique than an SMS to a specific MSISDN. Your ability to back up a code doesn't necessarily mean you have the ability to store it securely.

FIDO tokens can also be lost.

I don't know why you're asking for your congress to fix this. You live in a free market, so move your business to someone who you think takes security seriously.

> Who are these people in the tech. departments making these decisions ?

It is not the "tech. departments" making the decisions.

It is a PHB [1] in the "security department" following a checklist of "recommended practices" and one of the checkboxes on the list is "add SMS 2FA".

I.e., you are looking at it as a technical decision where the pros and cons security wise are weighed and the better technical solution is selected.

Which is not at all how these decisions occur in the real world in real businesses, and esp. in stodgy ones like banks/finance. Instead the decision is driven not by technical merit but by what "options" are provided on the checklist they must follow, that checklist often being sourced from whatever govt. regulator provides their oversight.

The technical people building the solutions likely know all the problems, but are powerless to do anything but implement the directed solution, because the directed solution is the only one available on the "checklist" from which they are allowed to select.

[1] PHB = Pointy Haired Boss -- Dilbert cartoon reference

Companies are weighing security vs convenience for the users vs support costs. They do know they could be more secure but the goal is not max security but rather some kind of balance between the three mentioned above. And sometimes it is in fact just sheer incompetence.

Trouble is, most people do not know what to do with a physical second factor. They don't know you need more than one and that you need to keep one offsite. They don't understand the way to make second factor work well is to deny ability to recover your access without it with all the nasty consequences of it.

For a company that provides service to the customers, this is nightmare. Unhappy customers, high support costs of trying to somehow securely give the access back to people who lost their tokens.

I think much easier solution is to go to your mobile carrier and get arrangement where they require you to go through special hoops to get the sim card if you loose it or to port the number (which is what I did).

Also if you really care about security, put that number on a separate phone where you absolutely don't install any extra software. And do not use this phone for normal communication, do not put it in any contacts, try to avoid associating it with your name. This phone becomes your second factor so you might just as well get something cheap and small.

As long as the only viable alternative to SMS 2FA is some kind of Authenticator app on your phone, and as long as most people change or lose their phone FAR more often than they change their phone number, I really don't see how anything other than SMS has any realistic chance of being accepted as 2FA.

In fact, most services that allow you to configure a different 2FA still fall back to SMS if you say you don't have access to your Authenticator app anymore.

And no, yubikeys or other self-acquired hardware tokens are not a viable alternative.

Edit: just for reference, I've been using the same mobile number for ~15 years, back when I had a Nokia 3310. I have probably had 10 different phones in the same period - which would have meant I would have had to go to each service I used 2FA on 10 times in the same period to switch to the new 2FA if I had been using Authentication apps (and if anyone had been offering 2FA ~15 years ago). Note that one of these 10 phones was stolen, so recovering the accounts after that would have been a joy.

I tried to die on this hill once...

An "Architect" was pushing SMS 2FA for our application, and only SMS 2FA. Like you I pointed out all the issues. The response I got was "well if it's good enough for $BIGCORP it is good enough for us" and I didn't win. Cargo culting at it's finest.

Perhaps by influencing developers and architects directly? Everybody searches for something like "how to implement 2FA nodjs" or "2FA best practices."

Flood the web with search-engine-optimized articles and tutorials around such phrases. Publish them on high-traffic sites and make them rank high. Content copycats will then organically spread those best practices through the web over time.

SMS-based 2FA has its simplicity/security trade-offs. But what really gets on my nerves is when websites don't even offer better 2FA options like software tokens and hardware tokens to power users.

For that problem, the articles can include content templates with instructions to users about buying hardware keys or installing 2FAS/Authy/GoogleAuth. Front-end devs can then just paste those templates in their HTML.

Are you advocating for OTP 2FA? If so, your concern about losing your phone and losing access to your accounts is still an issue.

At the end of the day, OTP is more secure for the obvious issue with mobile carriers being phished into SIM jacking. But, I've personally had 0 luck convincing any business person that OTP is the best thing to use because (and this is a true statement) users are dumb and lazy and don't want to go through the process of downloading an app on their phone and setting up OTP. Plugging in your phone number for SMS is way easier.

Nobody has actually tried a concerted effort to banish SMS 2FA (that I know of). Here's how I'd do it:

1. Figure out what the alternative is ("X"). It must be one thing that is dead simple, and it must work for 90% of people without annoying the fuck out of them. "Technically superior" is bullshit, it must be superior to an industry, organization, and an individual lazy user.

2. Get a coalition together of corporations who depend highly on SMS 2FA. Get them to all agree to be involved in changing to X. There are big financial and legal implications here, this is not easy. People have probably signed long-term contracts and those will need to run out or be written off.

3. A big marketing push to tell people that you are spearheading change; SMS 2FA is old and busted, X is the new hotness. You have to convince users to give it a chance, organizations to stake their reputation and security on it.

4. An organization needs to exist whose sole purpose is to make money off the new alternative. Partly this is because orgs want to pay for "premium support", partly it's to offer indemnity to customers, partly to provide a white glove service during transition, and of course, any company that makes money off something gives it legitimacy, which is needed to make people take it seriously.

5. Get official standards bodies, the government, consumer protection agencies, etc. to all make official proclamations that SMS 2FA is a danger to the nation and should be abandoned in favor of X.

6. A long period of transition. Years. A lot of support for people during the transition. Bug-fixing, figuring out edge cases, adding support to every platform on the god damn Earth.

7. All this needs to be paid for. Get the money, get it to the right people at the right time.

You won't because people are married to their phones now. Anything else is an alien concept. Cars don't use keys anymore, people are going to be dumbfounded why their computer suddenly does.

> Is it time to try and force a legislation through Congress because I don't think these companies give a shit until forced to.

Yes. Without regulation, nothing will change in the short term; perhaps in the long term with Google and Apple pushing passkeys in their ecosystems.

You will still need a solution for those without a mobile phone or a smartphone, such as a hardware PIV/smart card like DoD CAC and other digital ID cards with crypto primitive support.

SMS/Voice MFA must go. Call your representatives.

https://www.congress.gov/bill/117th-congress/house-bill/4258

https://www.cisa.gov/sites/default/files/publications/fact-s...

It was Google that championed 2-step verification a decade ago (2011), including SMS message as an option. I presume few people anticipanted sim-swap attacks at the time.

"After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device." [1]

Until someone comes up with a SMS 2FA alternative that is simpler and easier than all the SMS alternatives, then SMS 2FA will continue.

[1] Advanced sign-in security for your Google account (2011) https://googleblog.blogspot.com/2011/02/advanced-sign-in-sec...

I feel like there's an analogy between cryptocurrency and MFA where the strongest proponents of each ignore the human / social factors that landed us in the regime we're in now. If the replacement doesn't accommodate for those same concerns, it's not likely to take hold.

In the same sense that transactions need to be reversible, credentials and IDs need to be recoverable. People lose their devices, forget their passwords, undergo physical change, etc. I can't wait for the day we have something ubiquitous, trustworthy, secure, recoverable, and simple.

>Who are these people in the tech. departments making these decisions ?

They aren't in the tech department; it's being forced downwards in many cases, often by the company "selling" the 2FA "solution".

Some cases you get a rare CTO who actually understands and cares, but that's rare.

The main point of attack would be the companies selling 2FA solutions to enterprise; they need to add non-SMS options and market on them - which may require a few more high profile SMS hacks to get it in front of everyone.

So maybe the solution is for techies to hack SMS 2FA (don't actually do this).

It's cybersecurity departments that mandate these policies. In my organization a lot of these people come by way of the U.S. Air Force and NSA. They literally have seats at the table in the White House for DHS (Department of Homeland Security) meetings. Can you guess for what the advocate? Yep - SMS 2FA!

Now imagine you're the CEO of my company (a Fortune 200 company), a company that's responsible for infrastructure that's been deemed vital to the security of the United States. Who do you think the CEO is going to listen to, me or the Air Force guys and guys hailing from American's top three letter security agencies?

Now, if that's what our CEO is doing then what do you think your CEO is doing? That's right - they're looking at what we're doing. They know we have our personnel engaged in meetings at the White House. They know we're managing nationally critical infrastructure. They know how we're securing our customer-facing applications - and that's SMS 2FA.

My advice is to keep your mouth shut unless you're a recognized security expert. You're just spending political capital for naught.

I've often wondered if companies prefer SMS over TOTP for multi-factor authentication because it provides them with a reliable phone number for each customer.

At least one company promised that phone numbers will be used only for authentication, but was caught using them for marketing (which is exactly why I don't trust most companies with my phone number in the first place).

I'm currently struggling to get access to an account for which my daughter lost the number (it was a prepaid phone number, went back to the pool).

The biggest issue with 2FA, is that everybody allows you to set it up with just a single second factor, so losing it, means you're out.

In enterprise contexts, it's not an issue, there's another factor that you can use in an emergency, which is basically contacting IT.

But for things like Google, Apple, etc. you should not be allowed or required to setup 2FA unless you can provide two distinct second factors, one for regular use, and another for recovery in case the first one is unavailable.

This is such a glaring usability omission that I cannot fathom how the heck we're still pushing for it.

It took a long time to get companies to adopt 2FA. It'll take time & continued effort teaching & explaining to get more companies to move off. Each company is unique in their own reasons to not improve security.

"People losing access to their phone is a scenario and puts users at significant risk of losing access to key accounts"

You'd go to your network provider, show ID and in hours you have your SIM back. What is this hyperbole..?

This has been a struggle at the company I work for. Its not really the technies that need convincing, its the Product Managers who somehow have established this thought in their head that anything beyond SMS would be too hard for our customers to use as stuff like TOTP requires a separate app or push notification or something else that is too out-of-band. For employees we already use TOTP/Yubikeys based MFA.

I just hate that I need a mobile plan now to use most services that require SMS 2FA. I want to be able to down everything without a phone number.

There is legislation, the secure digital identity act making it's way through congress. It would task NIST to create a standard.

The short version is to probably try to document the upsides and downsides of 2FA options and then petition NIST/CISA to recommend against SMS 2FA. Eventually that will make it to the auditors who certify institutions and force them to upgrade.

Congress isn't really going to be relevant. The auditors have far more control.

2FA is good and is evil.

Good because with a SMS you can get easy access to recover your password.

Evil because, loose your phone, loose your access to email, bank and other services.

Maybe use 2FA with at least 4 methods of RECOVERY like: password, email, secret question, OTP SMS, another secret question.

Stop 2FA with limit methods.

What if tcp/ip and the digital pangaea known as cesspool devises domestic protocols and retires tcp/ip for a national infrastructure on a modern 21st century protocol, without a billion illiterates (they can sit around all day and shake the tree for fruit and nuts)?

Most of the impediments are long gone at that point. Domestic jurisdiction/regulation has better options, customs and etiquette, similar to domestic speedlimits (that do not apply anywhere else).

Technology moves fast. Something similar to a VPN client would still have access to tcp/ip subscriptions, so online gaming and things like that could still flourish.

I don't see telehealth, remote learning and several other industries blossoming until domestic protocols are the norm.

Security with obscurity is elementary nowadays :p

Similar to phonograph, to reel-to-reel, to cassette, to CD, to DVD, to streaming, to 21st century mediums, the quality data goes with each generation. The cool music is still there

Also, the $BIG_CO implementing this Today likely put it on their roadmap like two or three years ago.

And whichever manager made the push then cannot change course now or they'll be "wrong" which impacts their pay.

So, push the project through and call it a success.

Do you really expect politicians to fix a technical issue that technical people don't know how to fix?

This reminds me the old quotation: "you only trust in laws and sausages if you don't know how they're made".

I suspect that for SendGrid, SMS is an important hurdle for filtering out spammers. Of course, that's relatively easy to work-around, but it doesn't feel shady to me if viewed with this context.

A question here is 2FA with e-mail considered better or worse than SMS?

Why? MFA via SMS is the most user friendly option at this point. Nothing else comes close.

The Apple flow... - Visit site/app - Clock "send code to phone" - Apple populates code field with code when it arrives

No 3rd party app, no extra subscription, no extra hardware. Couldn't be much easier.

Yes, I realize SMS can be attacked in a few ways that app- or hardware-based MFA cannot. But, it's probably better than nothing (I've not seen a good counter to it).

Now, should banks offer SMS + app/hardware options? Absolutely. No question. But please don't take away SMS unless you're offering something just as easy.

SMS 2FA is way better than 2FA via email. I can't convince that huge French company to add also an authenticator app besides their email 2fa.

I would love for my credit union to have SMS 2FA. Right now for web or mobile app access it is purely username and password.

Phone only 2fa is horrible if you do oversea travel and too get local SIM cards. I can’t stand companies that do this

Now why would we do that? SMS based 2FA works great in modern countries where SIM swapping is not an issue.

> "updated security measure"

The misconception that security is additive is deep rooted in a primitive view of the world that I can not imagine going away soon. If you have 10 cm of concrete protecting you, it's better than 5 cm of concrete. So if you have a grade 10 padlock and a grade 5 padlock (higher being better), it's better than just having the grade 10 padlock. Substitute padlock for any system that can be intelligently hacked.

My cynical view after having worked in regulatory compliance with so-called "security consultants" who are essentially paper pushers is that any security flaw can be fixed with the right wording in a document. In fact it might even be preferrable than fixing the flaw in software. This is comparable to activating a linter only on touched files, not all historical code.

You could blame incompetence, but a real assessment is made: You earn more if you allow some amount of holes, blame evil hackers, reverse transactions, apply insurance. Most cash is digital, and all banks are in it together. This is why banks hate blockchain: There are too many poorly made systems that assume we can undo transactions when we fuck up, and not fucking up is too expensive.

When you have zero clue how something can go wrong, and you don't even know the probability up front, all you can do is bet on insurance and transaction reversal.

tl;dr: I understand you want to reach through via tech, but the problem is: Lack of real security is a conscious decision.

Vote with your feet! I switched my primary bank and my brokerage to ones with hardware mfa support.

I don't understand. What's your alternative to SMS 2FA?

Join the big tech companies and adopt support for passkeys.

if there's one thing I'm sure of, its that Congress getting involved will do anything but help the situation

All two-factor should be opt-in or opt-out. Users should have a choice between less security and getting locked out.

This isn't worth the effort to discuss. There isn't much point in fighting the surveillance state.