This is the most naive take on HN. The only secure computer is one that's been unplugged and buried in six feet of concrete, everything after that is a compromise
The real world security issues that companies face are things like:
- users that re-use tiny passwords written on post-it note that's attached to their monitor
- regulated industries that don't allow them to actually lock a user out, which causes leaky social engineering flows for their help centers
- users that constantly forget their passwords, and have terrible forgotten password questions/answers
- passwords they share with a friend/partner, that they then have a falling out with
The reason SMS 2FA is popular, is because the average use case is that the user's (reused and/or weak) password was captured somewhere, and this protects the user from simple attacks to their account where the password is known. It's just like the pin code for most modern smartphones: just secure enough to keep the average person out if their phone is lost or stolen
"But Joe, having a more secure system isn't that much harder on the user and is infinitely more secure". I promise you, it is that much harder. Most users can barely understand/handle SMS 2FA. Remember, we have to force users to not use trivially simple passwords like 'password'. Shoot, companies like AOL still derive monthly subscription fees because it's too hard for people to figure out how to change email providers
> The reason SMS 2FA is popular, is because the average use case is that the user's (reused and/or weak) password was captured somewhere...
People are not disputing the effectiveness of 2FA. They're saying that SMS is not a reasonable way to implement 2FA.
All my banks' websites in Europe (I've got several) are requiring the use of a physical device, provided by the bank, and protected by a PIN. I need to use such devices both to log in and to confirm wire transfer / stock buys / etc.
U2F keys like Yubikeys and physical 2FA devices like those provided by my banks are way better than SMS 2FA. Why not strive towards that instead of saying that SMS 2FA is popular for reasons and that nothing can be done about it?
Physical 2FA devices impose a significant price burden on folks who don't have a lot of disposable income. Imagine scraping by to pay rent from your minimum wage job, and you're told that you can't sign up for $SERVICE because you don't have a new enough phone or a yubikey.
Email 2FA works just fine. Set a long, secure password for your email account. Trust that your email provider won't allow anyone to brute force their way into the account. Don't use that email for any other accounts. Bam, security is fine.
Stop trying to force more and more purchases and apps down other people's throats. Maybe I don't have a smartphone or a yubikey. I should still be able to use services, especially when many of them are required to function in society today.
The parent did refer to banks giving them to people. I just got a USB one in a swag bag at an event from Google so I guess they're pretty inexpensive these days. But I don't disagree with the basic point. Most everyone has a phone and won't carry around a separate hardware device in general irrespective of price.
Yeah, of course I won't do that because I might lose that device and it takes space, times the number of banks giving me their own hardware.
I keep my hardware key generator at home. I need it only to perform some operations from my computer. Everything I do outside home is with the phone, which funnily is its own 2FA device. Banks and regulators accept that for the sake of convenience.
Than TOTP? Than email? The problem with SMS is that it adds additional vulnerabilities through sim jacking. Every other 2FA method is tied much more strongly to an identity.
Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.
> Than email?
Probably not much better than email for most users, but I guarantee for a large subset of users the SMS experience is better. With email you need to go to a separate app/page on the same device, with SMS you get a notification on a separate device or a notification popup on the same device (that usually lets you easily copy the code). Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.
> The problem with SMS is that it adds additional vulnerabilities through sim jacking.
Then fix the SIM-jacking problem. Which, I'll note, phone companies have made a lot of improvements in making this harder, and in the US government has gotten involved in making this harder.
Most importantly, note that SIM-jacking is really just a "how do we verify someone who lost a device" problem. That exact same problem exists with TOTP and hardware keys. All we really need are uniform guidelines for proving identity when a device is lost so you're not at the mercy of some low-paid, outsourced service rep to keep your account secure in the face of a persuasive bad guy.
> Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.
You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.
> Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.
I don't really care about usability when the solution is strictly worse than doing nothing. Like, to be clear, users would be safer without SMS if they just used a unique password. SMS is a terrible solution that really only solves "you used the same password across two sites, one of those sites got popped, the attacker doesn't have access to the common tooling to phish your SMS, and you can't figure out how to use email apparently".
> Then fix the SIM-jacking problem.
It's a lot harder to fix "make SIM recovery safe" than it is to fix "make email recovery safe" because phone numbers transfer all the time and emails rarely do. Further, almost all account recovery ends up falling back to email natively, so there's no additional attacks added.
At the end of the day:
1. Every modern browser supports a synchronized password manager, which makes all non-FIDO2 MFA basically useless
2. SMS 2FA adds additional attack surface through SIM jacking
3. Every modern phone is a FIDO2 compatible token
SMS 2FA is simply a technology that has no place. Attacker tooling has already started to adapt to non-FIDO2 MFA so the time for that approach is just over, the best thing we can do is stop pushing for adding new vulnerabilities just to fail to solve a problem that has trivial solutions.
In short, it adds nothing over other techniques and it strictly increases attack surface.
>> Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.
> You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.
As soon as the lost TOTP keys was mentioned, this is exactly the type of response I was expecting, and it shows how far out of touch tech people are with “normal” people.
MFA login is needed because general people are so bad at managing their passwords (using simple ones, re-using ones that have been leaked, etc) that the tech side had to just give up asking and start forcing everyone to use what is essentially a one time password.
If users were conscientious enough to know how to store backup codes, etc, then we wouldn’t have the problem of bad passwords to begin with. So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.
> So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.
Not really, no. I'm actually advocating against non-FIDO2 2FA entirely because a strong password is just as good and every browser has a password manager built in now. 2FA doesn't add security, SMS 2FA makes things worse.
Built-in password managers (at least Chrome's) suck:
1. These days, most people use passwords across browsers and native apps. In-browser password managers don't really support this use case well, at all.
2. At least in Chrome's, you can't manually add a password or add any notes.
3. Sometimes login domains change, and since the password is only tied to the domain (not a generic name), it's easy for passwords to get lost.
Again, nobody is really disagreeing with you that the situation is less than ideal or that there are more secure alternatives. But you seem unwilling to accept that a huge swath of the population sucks at secure password management, which is why SMS 2FA is a "lowest common denominator" option to improve security.
I think the main contention here is that I'd say users should just do nothing. SMS 2FA sucks and it's going to be a horrible tech debt that we're paying off for decades. We have better alternatives that, for a huge number of users, are perfectly acceptable. For everyone else, yes, they will have to use stronger passwords.
I really don't believe that there's some huge cross section of users who simultaneously:
a) Will go through the hassle of enabling and using SMS 2FA
b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token
c) Won't use relatively unique passwords for high value websites, password manager or not
IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.
I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.
> SMS is a terrible solution that really only solves "you used the same password across two sites
Right. That’s the sole purpose. People pick bad passwords and reuse them, but you already know that.
As much as tech tries to make this easy people, it’s a horse-vs-water problem. Even smart people refuse to use to use password managers. Most of those people have figured out how to receive text messages.
Seriously, go find someone who owns a JitterBug phone and watch them create a new account on the website of your choice. We’ve got a long way to go.
Instead of pushing a non-solution that trades one issue for another we should be educating people on password managers. Every major browser has built-in password management.
My bank wanted me to verbally give them a new password (with various constaints like uppercase, lowercase, symbols, at least 12 characters) over the phone, having already identified with a dozen or so personal bits of information.
Apparently it was perfectly secure because to use it I also need an SMS
Yikes. You should get a new bank. There are acceptable places for compromising security a bit, but reading out your password over the phone and then verifying SMS code also over the phone is definitely not one of them.
I hear you. However, don't force it on me then. Why not make it optional and give me a big disclaimer that I assume the risk if not signing up for that SMS based 2FA ? We already check many boxes. happy to check 1 more.
Are you (and everybody else who ticks this box) going to pay for the company’s time dealing with the resulting tech-support phone calls? You might be willing to assume the risk for your own data, but for the company to offer this option, you also need to assume the risk of increasing their operating expenses
The real world security issues that companies face are things like:
The reason SMS 2FA is popular, is because the average use case is that the user's (reused and/or weak) password was captured somewhere, and this protects the user from simple attacks to their account where the password is known. It's just like the pin code for most modern smartphones: just secure enough to keep the average person out if their phone is lost or stolen"But Joe, having a more secure system isn't that much harder on the user and is infinitely more secure". I promise you, it is that much harder. Most users can barely understand/handle SMS 2FA. Remember, we have to force users to not use trivially simple passwords like 'password'. Shoot, companies like AOL still derive monthly subscription fees because it's too hard for people to figure out how to change email providers