SMS 2FA is not just insecure, it's also hostile to mountain people
80 points by ntietz
80 points by ntietz
Every middle manager I have ever worked with tells me I have no business sense because I care about minorities and edge cases.
The same managers consider themselves too important to deal with the complicated reality of customer service.
I have no doubt where the problem lies.
and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it’s not just a capability that a phone has by default.
I think iOS at least has the Passwords app nowadays that supports TOTP, though, I’m honestly not sure if that’s installed by default since I use Bitwarden.
I’ve experienced similar issues with Spectrum Mobile WiFi Calling, too. I switched to it from Mint because I get Spectrum internet from my apartment (as part of our $165/mo amenity fee…) and, if you have Spectrum internet, you get a free year of Spectrum Mobile, but the WiFi calling just has not worked (it worked fine when I had Mint). If I turn it on, I suddenly can’t receive almost any SMS or call whenever I’m on WiFi. I guess maybe that’s a different issue altogether, but still Spectrum Mobile being annoying.
Even the Spectrum Mobile service seems to be worse than Mint (which uses the T-Mobile network). Here in Austin, I had 5G almost everywhere on Mint but I’ll pretty regularly drop to LTE on Spectrum.
iOS (and by extension macOS and ipadOS) comes with the passwords app installed by default and it absolutely supports TOTP out of the box. it works great
hell, even back when it was still part of the settings app it still supported TOTP iirc
the fact that android doesn’t have something like this in the year of our lord two-thousand-twenty-five is frankly astonishing to me
the fact that android doesn’t have something like this in the year of our lord two-thousand-twenty-five is frankly astonishing to me
That’s interesting, since Google Authenticator is so pervasive I’ve noted that people tend to call it Google Auth instead of TOTP.
I don’t know of any non technical user who ever refer to an authenticator app as totp even if it’s in the app name.
It’s a technical term and it doesn’t have a reasonable pro nounciation
“tot-pee” is not difficult to pronounce, but I’ll grant you it wouldn’t mean anything to most people.
Note that it it works great only if you want to use the Passwords app exactly as intended by Apple, i.e. you’re using TOTP in conjunction with a username and password login that belongs to a website. If you only want to use it as a stand-alone second factor, you have to attach a dummy password item to it. This is probably most “normal” users, but some folks here might benefit from knowing.
Isn’t a standalone second factor just… a first and sole factor?
What I meant by “standalone” are constellations like “I have my own password manager but I keep my TOTP tokens on a separate device and application”.
Oh, I’m an idiot, I literally use a standalone TOTP app as well, I should have instantly understood what you meant. Ignore me!
Anything related to phone numbers should always be just an option and not mandatory whatsoever.
It is sadly a very similar situation if you change country, with on top App Store restrictions (eg: app not available in this country) and crazy prices for roaming. Banking apps are really bad in this regard.
yup. i had a terrible time trying to pay for things online while travelling. things like my next flight, or a hotel
my visa card would usually work if i was in a shop. but online, they’d want to send me a text, to my sim card that only works in canada
Is it just me or is this getting worse? My parents are also in a situation like this, and from about 2010 to about 2020, they got 4G LTE and it worked. Before that it was no signal, now it’s “5G UW” and 3/5 bars, but calls don’t come through, SMSs come in spurts, signal messages go out hours late, websites and apps are just loading spinners. They’re well within verizon’s coverage map (as are their neighbors up the road who have never had any signal)
That said, almost every service I use other than email itself supports email 2fa, which I’ve been told is more secure and works when my phone is upstairs.
Phone numbers in general are a bad idea, and we should be working as hard as we can to get rid of them.
There’s no good argument in favor of forcing me to have a phone number in order to conduct business in the world, but a person who abandons having a phone number is significantly crippled in terms of verifications and signing up for other services which absolutely do not depend on a phone number.
For one thing, if I move to a different country, I lose my phone number. At various times in the past, I have lost my phone number even without moving, just by having my state’s area codes get reshuffled. And the only thing I get in return is a mostly no longer extant POTS network that I don’t need or want.
There’s no reason we can’t put all voice calling over VOIP, and all text messaging over something like iMessage (I know, not the Apple monopoly, but, like, the same thing, just not Apple), and get the cellular data providers out of the phone business. And my VOIP number can be my email address! Or something associated with my domain, which I can maintain. If someone needs to call me from a land line, they can dial into some sort of switchboard. I’m sure the AI can do the voice recognition of my email address, and connect the caller.
This is why the switch to RCS for texting was so misguided. Why is the carrier involved at all? Just do it over IP! Get out of the numbers game. It’s dumb! Words are easier to remember, too.
Tell Signal.
They already introduced username support, what more do you want?
I want to be able to use Signal without a phone number. I was responding to fly’s post which begins:
Phone numbers in general are a bad idea, and we should be working as hard as we can to get rid of them.
There’s no good argument in favor of forcing me to have a phone number in order to conduct business in the world […]
This is not about privacy, it’s about accessibility.
The motivation for many services to require a phone number is that usually you have to show an ID card or similar to get a SIM. It’s abuse prevention.
This is why the switch to RCS for texting was so misguided. Why is the carrier involved at all? Just do it over IP!
Even worse, the carriers are getting out of it, so functionally, the only RCS provider is Google. I installed Google Messages for the purpose of RCS, and it worked for a few months, then switched into a permanent “Setting up” state, so I’m back on SMS for everyone and everything that’s not on Signal.
This. A million times this.
POTS is broken.
But do we cater to people without data plans?
If we don’t, you could very well say that Matrix (or XMPP, or whatever), already enable this! It’s just a matter of inertia, critical mass, etc.
Yeah, there are many solutions. What we need is to convince banks and whoever else that phone numbers are dumb.
Re: people without data plans, phone numbers can continue to exist. We don’t have to get rid of POTS, we just have to let people opt out and still function in society. Every asterisk on a web form next to “phone number” is a bad decision.
Well, the transition would be a pain. I guess the solution is smart bridging on POTS to whatever we use.
Sometimes I think that I should be able to use a 4G modem or a hacked phone to act as a bridge to Matrix. I could forward SMS and bridge calls, with a good allow list and call filtering like Pixel phones.
And because it would be a regular phone operator SIM, I wouldn’t have the issues of SMS operators blocking VOIP numbers.
My folks live in one of the last houses up a twisted valley around a corner from the nearest cell service. I’ve totally had to take a laptop out in the car and drive down around the corner to get an SMS to login to the bank or other services. They have internet, but not a micro cell booster.
The worst are the services that not only limit to SMS instead of TOTP codes or hardware keys, but also refuse to allow Google Voice or similar VOIP services that would allow workarounds.
The other huge gotcha for me is that my bank only allows texting my in-country number, but I frequently travel internationally (I don’t like in the same country as my folks above) and getting SMS on international roaming is hit-or-miss. Mostly miss.
Switch the landline to voip.ms and save about $35 a month, and as a bonus get your SMS’s on the landline number.
Unfortunately, some services reject phone numbers they deem “VoIP” and refuse to send SMS to them. I hapilly don’t use such services, but it is a real barrier for some folks trying to have a more affordable phone number.
Good practical advice! But are you certain that voip.ms will forward all SMS from short-code senders? That appears to be the problem in the OP. Here’s some Reddit rando saying that they don’t 4 years ago, and somebody else suggesting competitors who might.
I use voip.ms for home and for my business. I do get SMSs and am unaware of any issues with that, but I must admit that I do not know the details of what works and what doesn’t work at the granularity that you are describing.