T-Mobile employees across the country receive cash offers to illegally swap SIMs
SMS-based 2FA and SIM-Swapping Risks
- Many see SMS 2FA as fundamentally unsafe because SIM swaps are easier than breaking good passwords or compromising encrypted databases.
- Attack pattern: attackers bribe or social‑engineer carrier staff to move a victim’s number to a SIM they control, then use SMS for 2FA or password reset.
- Several note that the worst part is SMS-based account recovery or password reset, which collapses 2FA into a single factor.
- Some argue SMS 2FA is still valuable for mass “low-skill” attacks (credential stuffing, weak passwords) and is better than no 2FA, especially for non‑technical users.
Alternatives to SMS 2FA
- Strong preference in the thread for TOTP apps (1Password, Bitwarden, etc.), hardware tokens (YubiKey), WebAuthn/passkeys, and “Sign in with…” (OIDC) over SMS.
- Criticisms of Google Authenticator: confusing backups, formerly hard to move between devices, now cloud-syncing secrets by default.
- Passkeys/WebAuthn are praised as phishing‑resistant but raise concerns about vendor lock‑in (Apple/Google/Microsoft control) and lack of easy, interoperable backup/export.
Usability, Recovery, and Lockout Concerns
- Many recount losing phones and struggling to restore app-based 2FA, sometimes needing video calls and ID checks; this drives users and companies back to SMS.
- Tension: stricter MFA (hardware tokens, no recovery bypass) improves security but risks permanent lockouts; most consumer services won’t accept “lose MFA, lose account.”
- Backup/recovery codes are widely recommended but rarely actually used by typical users.
Carrier Practices and Proposed Fixes
- Reports of SIM swaps being done with minimal or no ID checks; low‑paid front‑line staff often have powerful controls.
- T‑Mobile’s “SIM Protection” feature exists but is opt‑in, poorly advertised, and reportedly bypassable at higher support tiers.
- Proposed mitigations:
- Time delays and notifications before SIM changes.
- Requiring a PIN, multiple employees, or centralized/back‑office approval.
- Strong audit logs and real consequences for insiders.
Broader Identity and Policy Debates
- Some argue carriers should not be de facto identity providers; push toward national ID systems, Login.gov, or third‑party identity services.
- Others resist centralization (government IDs, Big Tech login, DNA/biometric schemes) due to privacy, abuse, and lock‑in concerns.
- Overall sentiment: SMS should be phased out for critical security, but migration must address usability, recovery, and non‑smartphone users.