While you are right, you're missing the real problem. SMS 2FA is a systemic threat vector for identity takeover. Buy out one employee for $20 and you have access to take over any one of millions of users. Additionally, the victim won't figure out there was an attack right away. And the attacker can live anywhere in the world.

If someone wants to rubber hose me, they have to physically come to my area and that doesn't scale except for high value targets. Tolerating SMS as 2FA is absurd with built in passkey capabilities backed biometrics/code built into a device you can buy for $100 and already carry with you 24/7.

>>>and that doesn't scale except for high value targets

Real-world activities (kidnapping, rubber hose, fingerprint stealing, whatever) aren't worth it for medium-value targets, true - but my point is that SIM swaps aren't either - for low-value targets.

From the article, they're offering $300 per - so the expected value from these specific compromised accounts must be more than that (I'd guess $1k min). This makes it pretty clear that if you're protecting accounts worth ~$50, SMS is probably "good enough". And for some users that's the right trade off.

My point is that SIM swaps are possible from the other side of the world and rubber hose isn't. The targetable base for remote SIM swap attacks is everyone from anywhere.

That is a very convincing argument for why SMS should be replaced entirely for everyone.

But isn't it the case that most sites will tell you if you pass a password check before hitting you with a SMS verification?

In that case I could see someone attempting a sim swap attack for accounts where they pass a password check for higher value stuff like primary email or anything that is probably linked to a spending account

That assumes the attacker even has the phone number - best practice is to not display the full number, just the last 4 (xxx-xxx-1234) - so again, for the typical case, the attacker isn't going to know what number to sim swap.

SMS is bad at protecting one account, it's good at protecting 10000.

The minnow security model is bad at protecting one fish, it's good at protecting 10000.

What would you say is an advantage unique to SMS that would be lost if text messages were switched to another model? I'm asking sincerely. There aren't many people arguing in favor of SMS here, so you seem like the right person to ask.

It's pretty simple - there are people who don't have smart phones, plus people who couldn't manage to install/use a TOTP app. Something like ~10% of users probably fit in that category. So either you offer them no protection (if 2FA is optional), no use of the service (if 2FA is mandatory), or ok-but-not-great protection (if you allow SMS).

(In reality, some users don't even have SMS (no cell phone) - so automated voice calls can be offered too. Those without any phone at all...will not be considered as valid customers, in most cases.)

Yeah, but say I am an attacker doing some kind of brute force password hack, and I have a certain number of successes.

Given the funnel there, it might well be worth it for me to put some energy into figuring out who the person at the other end of that account is. Phone numbers aren't secrets.

Yeah, agreed. But again I'm not arguing that SMS is the best second factor, I'm arguing that (used correctly) it's better than no second factor, which is what it's actually competing with in the real world.

Generally, I think services should offer TOTP, email, and SMS, and strongly encourage TOTP. But not offering SMS just means some segment of customers won't have a second factor at all.

You might have difficulty reading entire comments.

Yes, SMS 2FA will fail against a sophisticated and targeted attack. It is still drastically better than NO second factor, which is the actual comparison in the real world. There are people without smartphones. There are people without the ability to install/use a TOTP app. My aunt can either use SMS 2FA or nothing. 2MS protects her pretty well against 95% of the types of attacks she's likely to face.

>>Frankly, a secure password alone, with no second factor, is "drastically" better than a secure password with ability to change that password by SMS, as is frequently the case (a quarter of the time, per that research). So set up LastPass or 1Password for your aunt.

Obviously password resets shouldn't be possible by SMS alone, I never claimed otherwise. I'm talking about using SMS as a second factor - in addition to having the valid password.

>>As for "protects her from 95% of the attacks she is likely to face", that's a number that doesn't jive with my experiences as CTO of the second largest bank in the world.

In my experience, low-net-worth + technically unsophisticated users are mostly at risk from brute force attacks and/or credential stuffing, and SMS (as an actual second factor, not a "reset the password for free" button) is very effective at stopping that.

>>On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.

If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.

> If your customers have phone number/username/password all leaked together...sure, I can believe that. Probably you should focus on preventing leaks of that size.

A substantial proportion of your customers' email + password pairs have been leaked before they sign up with you. Email and phone are already paired from data brokers, you don't need the dump.

A majority of SaaS providers and banks fail to check for previously leaked creds. Many of the same ones that think SMS is "perfectly good".

Is your bank one of the ones that uses email addresses for usernames? Because that's a great way to make it much easier for attackers to match up leaked creds. Consider switching to a (chosen) username or card number or something. If your username is quickly matched to a phone number (or email address) it makes phishing (or account takeovers) much easier.

> On the contrary, most customers are under automated attacks, and SMS plus password leaks lets that takeover be fully automated.

Are you implying there's automated SIM swap attacks in the wild ? Or, maybe you are saying SMS can be phished ? I do agree SMS 2nd factor can be phished, but if phishing is the attack, password leaks is irrelevant since, you usually phish both passwords and SMS 2nd factor together, so password leaks don't make any difference.

As another user here said it best: it is good enough to keep honest people honest. But determined people will find a way.

This is actually a pretty good comparison. It's like the $50 lock on your front door. A determined burglar can pick the lock or smash the window, no problem. But it's better than leaving the door unlocked.

So in summary, SMS-2FA is a great channel for people/use cases that don't actually need that much security/protection? I agree!

Actually, I don't. Even completely trivial things like coffee chain apps require SMS-based logins these days, and I hate it. One particularly idiotic one initially accepted my Google Vocie number, only to lock it out for a subsequent login on a new device.

Phone numbers are a horrible user identifier. SMS is a horrible authentication mechanism. The entire industry has regressed from the bad combo of email + password to something almost universally worse in a matter of years, and it's incredibly frustrating.

The only saving grace is that SMS are quite expensive in some countries, so companies there have an incentive to not actually send them out if they can at all avoid it. Unfortunately they're effectively free in the US.

> I'm not talking about any services that allow password reset through SMS alone - that's beyond idiotic, obviously.

Twitter allows this, it's been a security flaw for years they've never fixed, and it's possible even if you have non-sms 2FA enabled! If you have a phone number on your Twitter account you should definitely remove it.

Quite a few high profile very security conscious people (e.g. Vitalik Buterin) have had their accounts hacked because of this.