Second factor SMS: Worse than its reputation

Original Article ↗ Hacker News Discussion ↗

Breach and SMS architecture problems

  • IdentifyMobile left an S3 bucket of SMS contents world-readable, exposing 2FA codes and all SMS routed via certain Twilio paths.
  • Commenters question why SMS contents were stored at all; OTP/TOTP systems don’t need such a datastore, eliminating this failure mode.
  • Some see this mainly as a vendor security failure; others argue SMS inherently encourages such central storage and multi-aggregator chains, increasing risk.

Security of SMS 2FA vs alternatives

  • Broad agreement: SMS 2FA is weak, but still better than no 2FA, especially against credential stuffing.
  • Major risks cited: SIM swapping, vendors leaking messages, SMS being reused as a single-factor “account recovery,” and “magic link”-style logins via SMS.
  • Some argue the actual attack surface often comes from poor implementations (reuse of codes for different actions, world-readable data, using phone numbers for reset).
  • NIST guidance against SMS 2FA is mentioned, but many note user-experience and support pressures keep it in use.

Usability, adoption, and risk trade‑offs

  • SMS wins on ubiquity and low friction; many users struggle with authenticator apps or hardware keys.
  • Several commenters stress risk-based use: acceptable for low-value actions (e.g., consumer booking verification), not for banking or health.
  • Others complain about being forced into particular methods (e.g., banking apps that won’t run on rooted phones, mandatory app 2FA with no SMS fallback).

Alternative authentication models

  • Strong enthusiasm for WebAuthn/FIDO2, hardware keys (YubiKey), bank card readers, and national eID systems (e.g., BankID, EU eIDAS, dynamic linking for PSD2).
  • Critiques: hardware keys are hard to deploy universally, need fallbacks, and are tricky on some platforms (e.g., Linux, devices without USB/NFC).
  • Banks that use separate tokens for different actions (login vs. new payee vs. high-value transfer) are praised as more phishing-resistant.

Phone numbers, tracking, and privacy

  • Many suspect SMS 2FA is often a pretext to collect phone numbers for tracking, marketing, or anti-spam/anti-sybil controls.
  • Phone numbers are seen as de facto global identifiers, with all the downsides of being reassignable, shared, and hard to change.

Phishing, ads, and user behavior

  • Multiple real-world phishing stories: fake “BANKNAME login” Google ads, replaying 2FA codes to authorize fraudulent transfers.
  • Suggested mitigations: ad blockers (even recommended by government guidance cited in the thread), bookmarking bank URLs, using password managers that refuse to autofill on mismatched domains, DNS-level filtering and typo-squat blocklists.
  • Concern that ad-based search (Google, app stores) structurally enables phishing despite nominal checks.