T-Mobile employees across the country receive cash offers to illegally swap SIMs

SMS-based 2FA and SIM-Swapping Risks

  • Many see SMS 2FA as fundamentally unsafe because SIM swaps are easier than breaking good passwords or compromising encrypted databases.
  • Attack pattern: attackers bribe or social‑engineer carrier staff to move a victim’s number to a SIM they control, then use SMS for 2FA or password reset.
  • Several note that the worst part is SMS-based account recovery or password reset, which collapses 2FA into a single factor.
  • Some argue SMS 2FA is still valuable for mass “low-skill” attacks (credential stuffing, weak passwords) and is better than no 2FA, especially for non‑technical users.

Alternatives to SMS 2FA

  • Strong preference in the thread for TOTP apps (1Password, Bitwarden, etc.), hardware tokens (YubiKey), WebAuthn/passkeys, and “Sign in with…” (OIDC) over SMS.
  • Criticisms of Google Authenticator: confusing backups, formerly hard to move between devices, now cloud-syncing secrets by default.
  • Passkeys/WebAuthn are praised as phishing‑resistant but raise concerns about vendor lock‑in (Apple/Google/Microsoft control) and lack of easy, interoperable backup/export.

Usability, Recovery, and Lockout Concerns

  • Many recount losing phones and struggling to restore app-based 2FA, sometimes needing video calls and ID checks; this drives users and companies back to SMS.
  • Tension: stricter MFA (hardware tokens, no recovery bypass) improves security but risks permanent lockouts; most consumer services won’t accept “lose MFA, lose account.”
  • Backup/recovery codes are widely recommended but rarely actually used by typical users.

Carrier Practices and Proposed Fixes

  • Reports of SIM swaps being done with minimal or no ID checks; low‑paid front‑line staff often have powerful controls.
  • T‑Mobile’s “SIM Protection” feature exists but is opt‑in, poorly advertised, and reportedly bypassable at higher support tiers.
  • Proposed mitigations:
    • Time delays and notifications before SIM changes.
    • Requiring a PIN, multiple employees, or centralized/back‑office approval.
    • Strong audit logs and real consequences for insiders.

Broader Identity and Policy Debates

  • Some argue carriers should not be de facto identity providers; push toward national ID systems, Login.gov, or third‑party identity services.
  • Others resist centralization (government IDs, Big Tech login, DNA/biometric schemes) due to privacy, abuse, and lock‑in concerns.
  • Overall sentiment: SMS should be phased out for critical security, but migration must address usability, recovery, and non‑smartphone users.