> Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.

I can probably illuminate some things here. This is almost certainly the SMS API they're using. Your phone, and your network by extension, does not care if the phone is technically online - so those messages get received because they're literally sending in the blind (and if the recipient is offline, the message gets temporarily stored by the receiving carrier for around 3-7 days before it is discarded).

These SMS OTP systems validate "reachability" (using APIs like https://developer.vonage.com/en/number-insight/technical-det... and https://www.twilio.com/docs/lookup/v2-api/line-status) and will not send a message if a number is 'not' reachable. Unfortunately, as implied by the air quotes, these methods are not infallible. This is done to reduce the costs of sending the message (carriers charge a lot more for commercial customers) but this is definitely stupid for a already-validated number like in this case.

It really is absurd that the same companies that won’t allow 2FA with any other method outside of SMS are the same ones not sending to VoIP. Maybe they all go through a service for SMS that blocks it, but it still upsets me.

It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.

>>> I really wish that were illegal. A phone number is a phone number.

European speaking. For completeness:

Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)

Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.

I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)

[1] https://en.wikipedia.org/wiki/Payment_Services_Directive

Phone numbers are used like this because in the Year of our Lord 2025, they’re the best way to semi-solve the Sybil problem even somewhat without having to literally do some kind of KYC

I use Wi-Fi calling on a phone only for 2FA SMS. Never had a problem with it. It was RedPocket (MVNO) with T-Mobile. Annual plan of 200MB, only a few dollars a month. No T-Mobile service here* so only SMS over Wi-Fi works. Only ever used for SMS 2FA.

*The bands acquired with the Sprint merger have service, but the cheap used phone I bought was pre-Sprint-merger and lacked those bands.

>>> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.

Completely different beasts. One is P2P, the other is A2P

If you port your cell number to a VOIP carrier, I don’t think senders have any way of telling that it’s not still a regular cell number?

I have such a ported number and have no issues receiving SMS 2FA codes.

"port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi"

...

"... unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons ..."

Correct.

This is, in fact, a terrible idea because even if you do find a VOIP provider that can receive SMS from "short codes" (the weird little numbers your bank sends codes from) that is a temporary oversight and will get "fixed" eventually.

Remember:

None of this is for your security or to help you. All of these measures are just sand in the gears to slow down the relentless onslaught of scam/spam traffic.

Your bona fide mobile phone number is a "proof of work" that these providers are relying on in absence of any real solution to this problem.

> That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do). I really wish that were illegal. A phone number is a phone number.

It pisses me off to no end. I use a few different banks and some are fine with google voice, others are not. One only allows customer service to send SMS tokens to google voice but not through the regular flow. In all but one case, they will happily robo call my google voice number and have a tts engine read me the same code that they didn’t want to SMS.

Security policy by rng, ffs!

The problem isn't discrimination of SMS number types, it's SMS itself should be illegal, period.