Perhaps fcc should look at India’s regulatory mechanism for sim swap solution.
They disable SMSes altogether for 48 hrs when a new sim is given. This gives enough time for a victim to go to a physical location to resolve the issue. It doesn’t solve it 100% but definitely introduces enough friction to put a dent in the efficiency of the attackers.
How about just making it illegal to use phone numbers for digital authentication? 95% of the problem solved right there.
The current setup feels akin to the longstanding problem of companies using social security and driving license numbers for authentication. Only the industry speedran the creation of this new problem, so they should be expected to get rid of it just as quick.
What's the alternative? Government-issued FIDO2 keys? Good luck with that.
How about instead we just make it illegal to use SMS for identity verification? I'm tired of "Your phone is your identity". It's exclusive of certain society members anyway, horribly not-encrypted, not-authenticated, can be intercepted, replayed, spoofed, phished, and a million other reasons.
Your phone number should not be your gateway to essential services like banking, investments, or even personal life. The madness has to _fucking_ stop.
There is a specific issue with SMS that I hate more than any of the issues you mentioned - the state of roaming.
Because every company on the planet forces me to provide my phone number to auth me with SMS, I now need to pay for roaming to use this god-awful method of authentication I never signed up for. On top of the local sim card I still need to buy, because roaming is often throttled to unusable speeds.
But it gets better. If I break my phone, I can currently move my physical sim into a new device in a matter of seconds. No problem. But with Apple removing the physical sim, soon I’m going to be forced to switch to eSIM.
eSIM is marketed as more practical, yet in reality it is anything but. I’ve been following forums for many telcos in the UK and Australia to understand the problems people face with eSIM.
First of all, if it is even possible to provision a new eSIM, most telcos lock this behind SMS 2FA. So if you break your phone, you can’t log in to provision a new eSIM. Also, usually this needs to done using an app, which is often only available in the telco’s region. So if you live between countries, you’re again out of luck. Some telcos require you to visit a physical store to move an eSIM to a new device. Some telcos won’t provision a new eSIM electronically, requiring you to use a physical cardboard QR kit. And some telcos can only activate a new eSIM when the device is connected directly to their network, so even if you somehow managed to jump through all these hoops, you still wouldn’t be able to activate a new eSIM abroad.
So if you break your phone overseas, you either need to live without banking and a range of other services, or book an immediate flight back to your home country just to provision a new eSIM.
Calling this madness is an understatement. Any company forcing MFA must allow users to pick from a range of open standards.
Makes sense in principle, but what's the alternative? Do we get rid of 2FA altogether?
Most of the world does SMS 2fa without an issue. It is only a problem in the US where anyone can pretend to be anyone else, take over their identity, SSN, mobile number, take a loan in their name etc etc.
I second what exabrial said. Any corporate person who asks for SMS 2FA as a condition to use a service should be fined $750,000 per violation.
I'm quite content with simple passwords on most accounts. But there is also email challenge, non-authority-issued security keys, and authenticator apps. All solutions that are currently being used by consumer-facing companies, and generally considered more secure and often less privacy invasive.
Yeah, I'd at least like the choice of which one(s) to use, but more and more services are specifically requiring a mobile phone number, and requiring SMS 2FA, which is blatantly ridiculous (and I agree should be outlawed). Thanks for totally locking me out of my account while I'm overseas...
authenticator apps +1
I don't care much for third parties inserting themselves into (and likely collecting data on) things that have nothing to do with them. What kind of authenticator app would make it impossible for the maker of that app to know who I am or what services I'm using and when/how often I use them?
What about people who don't have a smartphone?
> So if you break your phone overseas, you either need to live without banking and a range of other services, or book an immediate flight back to your home country just to provision a new eSIM.
I have these services connected to a Google Voice number.
Not every service will let you use VoIP. Capital One for example.
And if Google Voice doesn't work, there's also the "2FA Mule" technique: 28251107 . It costs a few bucks a month so the original rant is still valid, but at least you don't have to deal with roaming, mucking with your actually-mobile device, or getting your location spilled.
You can't get Google Voice if you're not a US Google user
Multi-factor authentication doesn't need a cellular phone. I personally use TOTP codes and security keys whenever I can, as I am very weary of giving away my phone number (I want to believe this is why I rarely get spam calls or texts). There is an obvious downside to security keys (cannot be backed up or transfer secrets), but passkeys are slowly becoming a viable alternative, which gives you almost the same level of security as security keys implementing FIDO2. Major services like GitHub already allow passkey authentication. Both iOS and Android have supported passkeys for a while now, and so have all of the major browsers (Chrome, Firefox, Safari).
So overall, I think passkeys are a good alternative to SMS :)
Now try to explain that to a person in their 70s that are thrice removed from tech industry while they're trying to check their bank account balance.
I agree with you 100%, I wish we went for much secure way. Unfortunately UX friction and pre-established ideas will make it way harder to roll out to the general public.
In mainland Europe, banks used 2FA devices with a little lcd display since at least the early 2000s.
Now they're going more phone based which feels like a step back to me (but more convenient of course... though I hate the kind that makes you film a colored qr code from your pc monitor: doesn't work in mobile browser since phone camera can't look at its own screen, and makes you look like photographing your pc screen)
In Denmark, we have a common login system called MitID (translated: MyID), which is used by all bank, insurance company, the governmental digital mail system (not email, but pdf's in a vault) and it still-alive now-commercial-only predecessor. I believe it is by law.
The system is 2FA with either your phone or a hardware dongle proving your identity.
It is strongly authenticating you as a person, that is precisely identified (but the services are only getting a token, but it can also validate your person-number - think SSN in US context).
It is quite harsh in device security, recently failing on beta versions of Android - on top of afaik always failing on rooted devices...
The phone version also requires you to scan a continuously changing qr-code twice to proceed, which is shown when you need to identify yourself (in an I-frame). This is to ensure you are "physically" present where you are being authenticated (i.e. to block of some phone scams).
Works pretty well and is reasonable secure, whilst still having some flaws..
In the future, I believe this system will work in some/all of the EU due to the coming eIDAS legislation...
Bastard bank charges me €20 for one of those LCD things. Luckily the battery lasts multiple years.
The device particularly saved me when my phone got dropped and all i could do was email the world.
Sms “auth” is doing nothing but piggybacking/hijacking the hard credit pull the carriers ran on you when you got your phone.
So something that indicates there’s a real person there paying a bill. Plenty of room for innovation here but my suspicion would be that it be a function of a credit bureau.
It already is the function of a credit bureau, and they're not doing a very good job.
AT&T required me to go to a retail store with government-issued ID and provide the last 4 digits of my SSN. I then had to answer some questions that were clearly provided by a credit bureau; all of them were some version of "which of these 5 addresses have you lived at before?"
This was concerning because I'd think that for most people, with a bit of digging, it's not that hard to get a list of previous addresses. But sim swapping should probably be at least as difficult as obtaining a replacement passport or drivers license.
Lots of countries don't have the concept of "credit rating" and yet still everyone uses the phone as a second factor, everywhere.
No, the reason is that your phone number effectively functions as your personal ID, lacking of any other good alternative.
Does sms auth not work with prepaid sim cards? I think the real benefit is that a sim card is basically a trusted computing device, but with a system in place at the carrier to give you back your number if you lose it. In effect, its a digital proof of identity. Since identity is fundamentally the job of the government, the real solution should be id cards with trusted computing chips in them. Though that will open up a can of worms with regards to privacy and government overreach.
Ideally consumers would have access to multiple 2FA methods that all vendors support standard, including SMS, app based authentication, RSA keys, Yubikeys etc. that the user would choose based on the users constraints, need for convenience, and threat model.
The immediate alternatives which are available today are 2FA via email or via an authenticator app such as Authy or Google Authenticator. So it's entirely a matter of whatever idiot companies decided to implement 2FA exclusively via SMS, adding support for one or both of those.
I'm another person who hates having to do 2FA via phone all the time, I am overseas a lot and it can pose serious problems for account access. I found out today that Authy even has a Linux client - hopefully this is the beginning of my life getting a lot easier.
The alternative is passkeys, which are strongly phishing-resistant and don't require an annoying "second factor" step for the user at all.
While true and while absolutely better from the security and privacy standpoints, aren't passkeys less inclusive than SMS 2FA? Honest question - I'm not sure. I can see them being more both less and more inclusive: it's somewhat more inclusive because they don't require any monetary payments on a monthly basis to keep the phone number active, but it's also most likely significantly less in terms of adoption.
Also, passkeys don't provide a way to perform non-Internet authentication. Like when you call your bank or they call you, you cannot use a passkey to authenticate each other purely over the phone, you need to be online. While this is surely technically possible to do over the phone (or postal pigeons -- j/k), it's not even on a radar and is extremely unlikely to ever happen in any foreseeable future.
Passwordless, whatever it's called this week.
TOTP apps are good enough in most cases.
The problem isn't "2fa": the problem is services that just use it as your identity. You'll go to sign in to the account and it merely asks for your phone number, to which it sends a login link. Or--even more unacceptable as it makes you THINK the password matters--you'll say you "forgot your password" and it sends a code to your phone number and that code is all that was required to get back into the account. This isn't a second factor: this is replacing your first factor (your password); maybe you could call it an "alternative factor"?
It’s impressive how some of the most successful tech companies in the world get this wrong.
If you give your phone number to Google, they will pressure you to enable SMS MFA and SMS account recovery. So your phone number becomes the weakest link into your account, which is pretty bad considering the state of sim swapping.
Google and other companies should make this clear to users. You should never have both SMS MFA and SMS account recovery enabled. If you must, only ever enable one. Ideally, neither.
SIM swapping is a problem in most countries.
And the ones who don’t experience this issue at all, perhaps US could study why that is?
most of the world does not do SMS 2fa. Most of the world does SMS 1fa. Your phone number is the only authentication. The password doesn't even matter, because it will be reset by anyone with the phone number. It's insanely stupid.
There is no smartphone requirement in RFC 6238. Smartphones are simply the device that a lot of people use as their user-agent, but you can use a computer if you prefer.
You could get those little mini RSA token things that are just a battery-powered thing the size of a USB stick. I assume those are still around... haven't used one in years tho.
These are pretty insecure because OTPs are easily phishable. WebAuthn devices are just as inexpensive, but prevent most phishing attacks.
Couldn't you just set up a text service to request a one time token? That way you could fall back to SMS, but it wouldn't be required.
(e.g., anyone could create a service that someone could use, which would allow them to request a 2fa code to be issued over SMS at any time after enrolling it via the OTP pairing process)
What happens when the attacker uses that fallback to perform the exact same attack that they perform today?
They'll get a government-issued ankle monitor/smartphone..
Capital One is one of the services that I have connected to my Google Voice number.
They wouldn’t let me activate a card with one. They wouldn’t even let me activate my card with a phone number that wasn’t the primary on a family plan.
i've been seeing more places rejecting VoIP numbers lately
The EU requires banks to use secure authentication methods and has done so by a directive more than a decade now. This includes one-time passwords and app based two-factor.
I do not see how the eldery in the US would need more explanations than in the EU.
I think 2fa card readers that use your bank card (like the one that goes in an ATM) to generate a code are easier to understand than receiving an SMS. Especially here in chip-and-pin land.
Couldn't the same thing have been said for SMS 2FA, and not all that long ago?
Honestly "plug the little black thing in here, rub the gold dot when the screen says" is better ux than typing numbers. Have you ever the heard stories where people aren't able to type in their code before it expires?
In the past I've been given little key fobs with my debit card that give you a 2FA code when you press a button
Before a very small amount of years ago, we couldn't check our bank account balances by logging onto the internets. We called or visited a bank teller in person. gasp!
If a person can't handle 2fa, do they really need to be using online services that are important enough to warrant using 2fa? I imagine the world will advance and this will become easier over time, but for now single player security across wires is complicated.
Simple answer: implement a privacy law with teeth. It doesn't even need to be framed from scratch - the GDPR does a fantastic job at preempting most of the flaws that lobbyists would love to slip in.
What is the whole "consent" nonsense in the GDPR if not a huge gaping flaw slipped in by lobbyists?
It does, but in most of Europe at least, the process for (legally) getting a prepaid SIM card also involves showing government ID.
They effectively outsourced IdP to telcos for free. That's the part that's wrong.
> And the ones who don’t experience this issue at all, perhaps US could study why that is?
You'll have to name a few first.
I know the comment you replied to said "most", but that's not a declaration that any countries have actually solved the issue. It's more that some countries are just too small/isolated to see certain crimes, so it's easier to say "most" than "all".
I probably connected the number before their anti-voip policy was enacted. This is true in a number of places. They have no policy against using a voip number; they just hope you won't register one.
I might try a couple of things:
1. Call Capital One customer service and yell at them.
2. Go visit them in person somewhere and yell at them. Bring a phone that rings when they dial the number.
3. Register a carrier number with them, and then, behind Capital One's back, port that number to your Google Voice account.
> They wouldn’t let me activate a card with one.
You can activate a card by just going to the URL printed on the sticker attached to the card. No need to use any phone number.
To the last point no you can’t.
I’m sure I could have figured it out eventually but once their proprietary id scanner rejected my passport I gave up and closed my account.