No, it's not, and it's fucking annoying to deal with. I am on my desktop computer, stop sending me to my phone just to log in because you don't want to support FIDO or some other form of real 2FA. There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB. Fucking use it
Hey look, a bunch of disjointed, vendor-specific non-standards that become impossible to support. Imagine some hapless Filipino support agent trying to explain to an irate customer their YubiKey drivers are borked.
I don't know about the windows side of things, but on Mac I imagine there's just one fingerprint API to support, same with face id. Yubikeys either work or get their drivers from the cloud like most other devices nowadays. I also dont know much about what android has, but I would be suprised to learn if there wasn't native support for the various standards that are in place today, even if manufacturers aren't using it.
I switched this off by choosing the wrong answer to some vague prompt and could never figure out how to re-enable it. Assuming it's like the many iOS settings that can be reverted only by resetting the phone to factory defaults.
It doesn’t work on all sites and apps, which is an annoyance. Why it can’t intelligently offer the SMS OTP when a user is just waiting on an input field and an SMS comes with a code is beyond me. They should be able to decipher the messages, regardless of variations in formats, and know the code.
BTW, the setting to enable or disable this seems to be under Settings->Passwords->Password Options->AutoFill Passwords and Passkeys. Turning it off and on may also work (as these things tend to behave across devices and operating systems).
The problem is customer support load. Also what does the company do about those without a smartphone? No smartphone no service? This is why businesses peg account authentication to phone numbers. It offloads IAM overhead to phone companies.
Who cares. Spend the money on customer service people then. Companies don't need all the profits they make and investors dont need their 10000x returns when 9900x will do just fine.
Here we are on a website centered on an industry that has "solved" customer support by having zero live support. It's RTFM (or FAQ). Sometimes even paying customers get this treatment.
What happens when they smash their phone and now you have to do account recovery? With SMS authentication you can presumably offload that to the carrier.
Far far more people have a biometric reader or smart token than have a cell phone.
Smart phones are obviously phones and have biometrics. What you're left with is comparing the number of people with non-smart phones (~31 million in the U.S.) to the number of people without smartphones but who have biometric tablets, Windows Hello-enabled computers, PIV cards, etc.
Do you have statistics on the number of people who do not have smart phones but do have these other devices? I am not sure the intersection is as high as you imply.
The only people who don't use smartphones and don't have an iPad or similar tablet and don't have a recent computer... probably don't benefit enough from 2FA to justify the risk of account lockout.
In my social circle, the people who don't have smart phones are:
- People with disabilities that make reading from a small screen or texting a lot impractical.
- People who work in harsh environments who want something more rugged than a device made out of glass.
- People wary of the distraction of carrying around an entertainment device.
All of these people except one also have an iPad (especially the first group, as the larger screens help a lot). The one who doesn't does have a Dell XPS 13.
I would wager the number of people in the US with a smart token (I’m assuming you mean something like a Yubikey, ≈22M worldwide, most users have two) is probably close to 1:1.
I would also wager the number of people with dumb phones are close (but not as close) to those having computers without any biometric capabilities (and if they have them, they’re not set up).
I wrote a comment 11 days ago talking about SMS for a second factor, but it applies in general as well: https://news.ycombinator.com/item?id=39130032 Email is better, for sure, but mostly because email providers are either controlled by the user (for us nerds with a custom domain) or a large, impersonal entity (google or similar). Neither is available to change by attackers in the same way as phone number providers are.
I work for an identity provider and we have a number of folks who want us to support this, almost always from a UX perspective.
I think that there also needs to be some onus on the phone providers, as suggested above. With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
> With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
No, we need to push back on this user-hostile trend, not stick on yet more band-aids.
Phone numbers are country-specific, impossible to own in any meaningful way for private individuals (unlike e.g. domain names), and add an unnecessary point of failure.
From the article:
> For many years, people in the industry have invariably said something like: "Well... offering SMS-based authentication is better overall for customer security, because of its convenience (despite its shortcomings) vs other methods" (such as the far-more secure use of email for verification). To that I say: "who are YOU to deprive your customers of security?"
and
> Much of the ire relating to SIM-swap attacks has, understandably, been directed at carriers. Indeed, carriers do a terrible job of securing customers’ phone numbers, and may be liable for that shortcoming. But here’s the thing: carriers’ security has always been bad, it has even been legislated into being bad, and other companies have still chosen to build mission-critical systems on top of that weak link.
and
> Despite offering poor security, SMS offers a nearly frictionless way to sign up new customers (think of Uber's onboarding) and handle password resets, and companies felt they had to match competitors' adoption of this technique.
This last bit was unfortunately overwritten in a Wordpress post update, and I added it back.
There is a straightforward manner to overtake your phone number (call your carrier and use social engineering). There is nothing you, the customer, can do to lock that down. (I've tried with my carrier.)
With email, you can lock that down with robust 2FA (Google Authenticator/Authy/etc) and crooks have no straightforward way of defeating that.
This is how it plays out year after year and why SIM-swap gangs are so prevalent.
That’s a problem with the user, not the protocol or the system, users have been and will be always the weakest point, but they are accountable for it if it happens, not the case for sim swap attacks.
Yes, true. However- to paraphrase a red team operations book I read, if the user can be tricked into into compromising your security with a click, then you can't blame the user. An organization's defensive security strategy should not hinge on a single user's decision to click or not.
Edit: I am swapping users with you, sorry for the confusing reply. I'm thinking telcom employee, you user of the app that got swapped (I think, apologies if I am wrong)
Ha! I was going to say if you solve the user vulnerability then congratulations, all systems are mostly safe! Before reading that you meant telecom employees.
The reality is TOTP despite any issues, is far more secure and available than SMS, security for obvious reasons but also availability, you can have your TOTP token accessible everywhere (say in your password manager) but if you can’t receive an SMS because you lost your phone or maybe traveling, then you are in a tough position, maybe even locked out completely. I personally even back up the TOTP tokens so I can reuse them without being tied to specific platform/app (I am looking at you Authy!)
If you don’t have your phone; if you’re abroad and don’t have SNS; if you’re in a building with no service; if you changed your phone number, they all suck.
Also, another valid point is that often times it’s hard to tell what’s a legitimate SNS message and what’s phishing. Their phone numbers are always gibberish and sometimes change between requests.
From the examples I've seen, the attackers essentially become the customer. They've either socially engineered the customer or done research to gain access to enough information to validate themselves as the customer. Come up with a solution and sell it. You'll make some money.
That's kind of the point, US Telcos don't really validate customer identity - probably because they can't, due to the general limitations of USA documents leading to relatively easy identity theft where merely having enough information is sufficient to impersonate someone. (A simple test - is your verification process likely to stop someone's parent, spouse or sibling from impersonating them? If no, you're not really verifying identities.)
It's not something where a private entity can sell a solution, you need a more solid root of trust for verifying actual identities, like many other countries do, but that's not going to happen in USA any time soon.
Well that got me thinking. You could stand up a third party verification service and sell the offering to companies that don't want to be bothered with authenticating the user. Something like Okta (I know, bad example when talking infosec at the moment) for real life.
Somebody already pays for it. Once regulations ensure that it's the companies skimping on KYC themselves, most will happily outsource that task to the cheapest (compliant) provider.
I just realized this does exist (kinda) in the US with identogo. Could be an easy service offering for them or a partner for another company focused on the mfa issue.
>Counterpoint: SMS login and account recovery is good UX, and it's the telcos that need to step up their collective game.
Oh, yeah, fantastic UX.
I've had my phone and credit cards stolen while traveling abroad (such a hard-to-imagine scenario, innit?), and was consequently locked out of all important services.
Very good UX: being left without a phone and access to bank account and email and most messengers at the same time (thankfully, Skype isn't one of them).
Double props to CitiBank for requiring SMS authentication to change the phone number on the account.
while it works well a majority of the time, it results in an exceptionally bad UX if you lose your phone, don't have reception, or are traveling outside of your service area
I once worked in a building with terrible cell reception. I hated anything that required SMS for 2FA because I'd have to go outside to get the text message.
My in-laws lived in an area with poor cell reception too. Whenever I'd go there, I couldn't use SMS either.
Both of those places had good Internet service. Any time SMS was required, my UX was terrible. Hooray for anyone who supported TOTP, email, or any other form of 2FA.
I’m so happy other people think this too!!! No one trusts the government, but usps is still offers pretty good privacy. I want mandatory acceptance of a gov issued ID, but at the same time i want to be able to use things anonymously.
Getting the government involved in this is the only worse idea than delegating to 4 major corporations. It should be delegated more broadly and users should have more options not less.
It's obvious that government is already involved with everyone's identification.
This is analogous to the argument that government shouldn't be involved in "the free market", when the market is actually defined by the laws that regulate it.
Let's just call this the "Texas Delusion"...
Governments can be changed by democratic processes, corporate decision making is completely inaccessible to the public.
Do people really think life would be better if goggle just ran everything?
