I don’t know. It is maybe not as secure as possible but it is certainly more secure than a password.

I think it’s a baby step. I see other threads under the parent comment recommend banning SMS 2FA altogether. Surely this would be a step back. I suspect most people and companies would think, “well, I guess we won’t do 2FA anymore” rather than, “I guess we will use a proper Authenticator instead”.

> it is certainly more secure than a password.

I disagree. I can safely store a long, complex, and unique password. I cannot prevent anyone from social engineering my cell phone service provider and doing a SIM swap.

2FA is a layer of security on top of your password. Nothing stops you from using a strong password stored in an encrypted place.

In all the cases I've seen, the password can be bypassed with a password reset using SMS, thus SMS becomes 1FA.

What if someone stole my phone and I'm unable to instantly get a replacement? I don't want to be locked out of my account either.

You're just thinking of security -- and there are many valid concerns around using SMS-based cleartext messages as a 2nd factor.

But additionally, a big issue is reliability of the 2FA mechanism. Especially when your service provider is overseas, or you're roaming, the SMSes may simply not arrive in time.

"SMS 2FA is an antipattern. Many people know this ..."

Much SMS 2FA in the world is used not for your security but to solve the difficult problem of spam/scam/sockpuppet accounts.

Of course it is labeled as being for your security but it's not about that at all.

Bad actors are relentless and forcing them to burn a SIM chip any SIM chip to participate at least slows down the onslaught.

It's better than just a password. Not perfect, but works 99% of the time (eg with password reuse, dumb keyloggers, over-the-shoulder spying,...)

There is a real risk to giving a company your phone-number for SMS 2FA. That is that the company might, at some point, use the SMS as a single factor. This has happened a few times, sometimes it requires social engineering. In general, the risk is there.

Combine this with the time Facebook started using the mobile phone number for more than just 2FA (suggesting friends IIRC), and there is a decent argument for preferring plain password over enabling SMS 2FA.

It is not better than just a password (in fact, it is worse). Providers have been known to reset accounts with just SMS 2FA, and passwords are harder to steal than SIMjacking.

> Providers have been known to reset accounts with just SMS 2FA

But this turns the 2FA into 1FA, and that "1" is just an SMS.

Using SMS as a second factor is great, using it as an only one, is not.

If someone hacks eg linkedin (again), and gets all the passwords, they can just hack literally millions of accounts on other services just because of password reuse. SMS 2FA prevents that very effectively.

But I agree that companies use things made to deal with "issue A" to deal with "issue B", even if the thing is totally inappropriate for "issue B". I've heard from people that some places in USA use SSN, date of birth, mothers maiden name, etc. to authenticate and verify the user (instead of doing stuff in person with an ID card)... most of those things are (almost) impossible to change, and once someone knows them, you're fscked. Same with fingerprints as means of authentication... once someone makes a mould, you're done, because they can use them, and you can't change them.

> Hacking a specific service is much harder than simjacking. Use an alternate method of 2FA (a FIDO2 USB key would be best).

If you have someones linkedin email+password, how is it hard to "hack" into their facebook account, if they use the same email+password combo there?

I agree about FIDO2 USB keys. As a matter of practice though, what happens if you lose the key?

Immediately? You need to find some other way to prove you're still you. Many sites which enable WebAuthn have a pile of single use random text codes you can use to do this, write at least a few down somewhere safe.

The specification for WebAuthn (and presumably U2F but that's legacy and shouldn't be used for green field deployments) explicitly tells Relying Parties (that'd be the web site you're enrolling with) to allow multiple authenticators to be enrolled†

They are keys after all, so it probably feels reasonable to have a key you're carrying and one spare at home. Maybe if you lose your keys a lot, buy three just in case.

Unless you've got a FIDO2 device (not just FIDO) enrolled for usernameless authentication, the device doesn't even know who you are. So if you lost it on the train, or at a crowded event, relax, even if somebody found it intact and is curious the device can't help them log in as you since it doesn't even tell its new owner who you are. In fact it actually works perfectly well for them too, to secure their Facebook or whatever, in this way it's more like if you lose a quarter than if you lose your car keys.

† Now somebody will point out that AWS doesn't do this, and somehow this fact will be a justification for why an entire technology is bad, rather than yet another shortcoming of AWS...

Personally, I just have multiple. I also enroll my devices (phone, laptop), so there's a good bit of redundancy.

2FA with only SMS is a contradiction. A single verification is by definition not actually 2FA.

If both are actually being used then an attack has to compromise the password and the SMS, which is going to be harder than just the password.

But how often does that happen? Who's going to try that for a service that doesn't offer access to banking accounts or secrets? For those, SMS can be perfectly viable (IMO).

SMS 2FA is equally as resistant as TOTP to phishing (basically not at all). It is also considerably more accessible. Phishing is a much much much bigger concern than SIM-swapping, since it scales easily. Using SMS 2FA instead of TOTP does not change your risk that much.

I'd buy these complaints much more easily if people actually mentioned this stuff when TOTP comes up. But they don't.

The only meaningful jump in security is when moving to a yubikey or equivalent.

How is 2 factor authentication 2 factor when I can reset my password with just my phone number?

That's a policy issue, not specific to SMS; it's no different than getting someone to reset your password over the phone with poor ID validation.

SMS 2FA is shitty for unrelated reasons.