It’s time to stop using SMS for security

So, I work in telecom and dabble a bit in software.<p>I don’t understand the hatred for SMS 2FA on HN. Can someone explain to me why SMS is such a bad method comparative to other solutions where the practical user adoption is near impossible at scale?<p>At some point, software is going to need to bend to the way people work. When does that happen instead of obsessing over ubiquitous “zero trust”.<p>I’d love a parable of how using SMS as part of a layered security verification is somehow unacceptably vulnerable.

The URL is giving an empty page for me, so I&#x27;m afraid I can&#x27;t really comment on the content of the article itself.<p>With that said, people should fear any site&#x2F;service that uses SMS for anything security related. SMS 2fa is a fairly common vector for compromise.<p>It can be nice for a &quot;data feed&quot; though. Like, getting an update on the status of your delivery driver. Though, this can also be really annoying when say... your old college starts spamming you with stuff... which I got to experience this weekend at 1am. :)

Living in Germany, I don&#x27;t remember the last time I used an SMS. When I was in south-east Asia I don&#x27;t think I ever used SMS, it was always Line (or WeChat in China) or email. Is there a reason SMS are so much in use in the US but not in other parts of the world?

For the love of God, stop using Medium. I don&#x27;t understand how authors don&#x27;t know better by now.

&quot;Identity management is hard. I know, let&#x27;s just let the phone company deal with it!&quot;<p>Later...<p>&quot;Oh no! The phone company is doing a terrible job of solving our identity issue!&quot;

Yahoo! Japan, One of the most famous website in Japan, forces users to use insane auth method: SMS 1FA. It even accepts phone number as login ID. This is really stupid.

Why is this a download?<p>My covid project was an SMS news API completely controllable from your phone and delivers short news summaries on any topic scraped from across the web (www.zipnews.io). While fun and it has several paying customers, the SMS can be somewhat expensive to send. The strength is that everyone with a connected cell phone can access the API.

The website does not currently work for me. Here&#x27;s a working archive.org mirror:<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210316074533&#x2F;https:&#x2F;&#x2F;lucky225.medium.com&#x2F;its-time-to-stop-using-sms-for-anything-203c41361c80" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210316074533&#x2F;https:&#x2F;&#x2F;lucky225....</a><p>If that mirror keeps hiding the text, blocking all inline scripts with uBlock Origin solved it for me.

Did anybody experiment using Twillio (or similar) to receive 2FA SMS?<p>There are a few service that I use that mandate or only provide SMS as a 2FA. Using Twillio seems rather ideal since they have stricter control to porting numbers. The message probably is harder to intercept as well since it goes to their servers directly. And finally the phone number is harder for an attacker to find out since it&#x27;s not my day-to-day number.

My bank (USAA) decided to switch their 2FA away from SMS a while ago. They only do email or the USAA app auth code. I love it and I feel much safer with them because of it. Let&#x27;s do start to move away - yes!

As someone who does not keep a fixed phone number this reality really sucks. But i dont want security trough something i dont own, and there is no way to actually own a phone number

The link is pointing to 0 content length page with no content type header so it behaves weirdly in for example Safari trying to download.

The title is misleading. This is not in fact &quot;stop using SMS for anything&quot;, but &quot;stop using SMS for security purposes&quot;. There is a great reason why SMS should still be in use: nothing interoperable exists with an equal adoption rate. I will not rehash the usual argument about WeChat and Whatsapp, there is plenty of discussion about them.

When dis medium become a paywalled site?<p>Do writers on it know that you can only read 3 articles before you are required to create an account and login? (like pinterest)