On 4/19/21 05:05, Eric Kuhnke wrote:

One of my main problems with SMS 2FA from a usability standpoint, aside from SS7 hijacks and security problems, is that it cannot be relied upon when traveling in many international locations. I have been so many places where there is just about zero chance of my T-Mobile SIM successfully roaming onto the local network and receiving SMS at my US or Canadian number successfully.

What am I supposed to do, take the SIM out of my phone, put it in a burner and give it to a trusted family member in North America, just for the purpose of receiving SMS 2FA codes (which I then have to call them and get the code from manually each time), before going somewhere weird?

In the pre covid19 era when people were actually traveling places, imagine you've had reason to go somewhere weird and need access to a thing (such as your online banking, perhaps?) protected by SMS 2FA, but you have absolutely no way of receiving the SMS where you're presently located...

Many of the people designing SMS 2FA systems used by people with accounts/services in the US 50 states and Canada seem to assume that their domestic customers will forever remain in a domestic location.

This is a practical problem that I suffer with one of my South African providers, every time I traveled to the U.S. in the last 3 years. I could roam on all GSM networks in the U.S., and even make voice calls, but SMS's would not get delivered. Delivery of those only resumed the moment I transited in the Gulf on my way back home. This did not affect other countries I traveled to.

But you are right, most network operators and SMS authentication designers do not necessarily work together to account for folk that travel.

Mark.