One of my main problems with SMS 2FA from a usability standpoint, aside from SS7 hijacks and security problems, is that it cannot be relied upon when traveling in many international locations. I have been *so many places* where there is just about zero chance of my T-Mobile SIM successfully roaming onto the local network and receiving SMS at my US or Canadian number successfully. What am I supposed to do, take the SIM out of my phone, put it in a burner and give it to a trusted family member in North America, just for the purpose of receiving SMS 2FA codes (which I then have to call them and get the code from manually each time), before going somewhere weird? In the pre covid19 era when people were actually traveling places, imagine you've had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you're presently located... Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location. On Sun, Apr 18, 2021 at 5:44 AM Mark Tinka <mark@tinka.africa> wrote:
On 4/18/21 05:18, Mel Beckman wrote:
No, every SMS 2FA should be prohibited by regulatory certifications. The telcos had years to secure SMS. They did nothing. The plethora of well-secured commercial 2FA authentication tokens, many of them free, should be a mandatory replacement for 2FA in every security governance regime, such as PCI, financial account access, government web portals, etc.
While I agree that SMS is insecure at the moment, I think there still needs to be a mechanism that does not rely on the presence of an Internet connection. One may not be able to have access to the Internet for a number of reasons (traveling, coverage, outage, device, money, e.t.c.), and a fallback needs to be available to authenticate.
I know some companies have been pushing for voice authentication for their services through a phone call, in lieu of SMS or DTMF-based PIN's.
We need something that works at the lowest common denominator as well, because as available as the Internet is worldwide, it's not yet at a level that one would consider "basic access".
Mark.