SMS 2FA is not just insecure, it's also hostile to mountain people

Mountain people and anyone who goes abroad, where they use a different SIM card.

People who perpetrate SMS 2FA are pure scum.

i did some digging, and it turns out messages from 5 digit shortcodes often aren't supported over wifi calling. sometimes they are, but in her case they're clearly not.

This seems like a rather specific problem that isn't related to mountain people as such but services blocking "shortcodes" apparently for a variety of reasons. It is true that text and call reliability is becoming a real problem generally where you have these authentication issues. I myself in the mountains and have dealt with reliability issues.

Here's a discussion of this specific problem with T-mobile: https://www.reddit.com/r/tmobile/comments/ardcnc/aargh_final...

Great points.

> and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default. and then when trying to find an app to use for it, you're presented with a multitude of high-stakes choices, and often pretty technical explanations if you start internet searching about which app to use.

A reminder that mandatory iOS App Store / Android Play Store / (Xiaomi store ???) is even less acceptable than SMS 2FA unless maybe you're a USA(/Chinese) citizen living in USA(/China).

Not only SMS 2FA, but in the past maybe couple years, many sites have been making their logins worse in many ways.

For example, I'm actually liking Walmart.com more than Amazon in some ways lately, but logging into Walmart.com takes minutes while I wait for the 2FA after I already password authenticate. So Amazon wins all the casual browsing and impulse sales, and by the time I do log in to Walmart.com, it's only because I know I want to order something from there specifically, and it's already feeling tedious.

Some off-the-cuff suggestions, since the worsening authentication experience really bugs me:

1. Present the email/username and password fields simultaneously, so the browsers like Firefox can fill out both fields. (A lot of site have started showing only the email/username to start, and also making that rely on non-login form field filling. And only after you type in your admin/email, because you don't form autofill in general, does it present

2. After user opts to authenticate with a password rather than SMS/email code, let them in, unless you're something like a bank or a medical provider. (Don't then make them do the SMS/email code anyway.)

3. If your mega online store handles HIPAA-sensitive data for some small percentage of visits, and you need 2FA for that, maybe only do the 2FA to upgrade the authentication confidence for session. (Or maybe the more sensitive data is on a different backend anyway, so as not to encumber all the developers implementing Wheaties logistics, with all the additional protections that are needed for medical records, nor to add additional weak links leading to leaks.)

4. When SMS/email 2FA is really necessary, send it immediately and reliably, and make it copy&pasteable. (Sometimes I wait minutes, and other times it doesn't come through at all. And I've even gotten email ones where competent-user text-selection picks up whitespace somehow, or even a weird unprintable Unicode character, which breaks the code entry when pasted.)

5. Those buttons to authenticate a variety of other sites are needlessly leaking information, and creating additional ways to compromise the account. (That's what you do if you want to reduce friction to first visits to your site, for which people aren't interested enough to create a password to use -- but not for logins from recurring customers.)

6. Don't prompt for "remember this browser?", and don't otherwise rely on the persistent tracking data deposited on the user's browser, across explicit authentication sessions, such as to decide whether to 2FA. For one reason, those persistent data mechanisms are overwhelmingly for shady abuse by the adtech/surveillance industry in shady ways, and are frequently cleared by privacy-conscious users. Any why is a bank, for example, complicating the UI, to ask ordinary users whether to lower their authentication security on this device, and expecting much sense out of that at all. Keep it simpler, more secure, and more responsible or respectable.

7. If you must support 2FA, make TOTP an option. And not TOTP-incompatible codes that requires installing your app, or that depends on some oddball third-party proprietary authenticator app/fob that seemed like a good idea at the time but is not a reason not to support TOTP. (You can still grandparent in the legacy proprietary 2FA, for those long-time users who've been using it, and be clever about not complicating the UI for those those dwindling users, nor for the increasing users using the more current open standard.)

Why does SMS need a cell tower booster but the internet router doesn't need a cell tower booster? SMS will be much less bandwidth so it should be easier to receive than a whole web page.

1. 2FA over SMS is only $23 away from a compromised phone service

2. People love binding individual accounts to specific IP addresses, and large marketing firms especially like websites that use free DNS service to quietly track said users across the session

3. Much like DRM, the account auto constrains a single user to a single IP. Makes sense... unless you run a business account with a dozen people clearing a shared inbox

4. SMS inbox phone numbers are $2.75, and that requirement is bypassed if the company smartphone hardware/emulation is in use for account "recovery"

5. SIM hijacking and email server snooping is far more common than people like to admit

6. People feel safer, but it only increases the CVE difficulty level slightly above third world skill levels

This is why we can't have nice things =3

Can we just go back to having passwords please. I hate this state of authentication on the web.

Not only mountain people, try staying in Wales or inner parts of London, good luck receiving your 2FA code.

Why can’t people take the time to use grammar correctly? This post is illegible.

[dead]

When you choose an eccentric lifestyle you should accept the loss of certain features.