alt Hacker News>>> I really wish that were illegal. A phone number is a phone number.
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
[1] https://en.wikipedia.org/wiki/Payment_Services_Directive
Replies
> anon SIM are no longer allowed in the EU
Ah. That explains why they asked for my life history when I tried to buy a local SIM in Italy.
> anon SIM are no longer allowed in the EU
Surely Ireland still allows them? If not, they're trivial to source from NI.
> SMS is the only 2FA method that can be easily deployed at scale
No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.
> Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.
And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...
> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)
> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s
Anon SIM cards are still allowed in some EU countries: https://prepaid-data-sim-card.fandom.com/wiki/Registration_P...