SMS 2FA is not just insecure, it's also hostile to mountain people

Original Article ↗ Hacker News Discussion ↗

Security properties of SMS vs alternatives

  • Many see SMS 2FA as the weakest option: vulnerable to SIM‑swapping, SS7 abuse, interception, and phishing, yet still clearly better than no 2FA for mass users and stops credential‑stuffing.
  • Others argue the real bar today is phishing‑resistance; TOTP/HOTP protect against password reuse but are still easily phished, so WebAuthn/passkeys and hardware keys are preferred.
  • Banking/regulated payments often need “what you see is what you sign” (tying a code to a specific amount/merchant). SMS can embed that text in the message; generic TOTP usually cannot, which is cited as a reason banks cling to proprietary apps or SMS.
  • Some note that co‑locating TOTP with passwords (e.g., in a password manager or OS keychain) weakens the “two factors” idea, but is still an improvement over passwords alone.

Coverage, reliability, and roaming issues

  • Many report exactly the article’s problem: poor or no cell signal at home, especially in mountains, valleys, basements, rural areas, and even parts of big cities.
  • Wi‑Fi calling often works for person‑to‑person SMS but not reliably for short‑code 2FA messages; behavior varies by carrier and implementation.
  • International travelers and people on non‑roaming or expensive roaming plans frequently cannot receive SMS 2FA, or pay per‑message.
  • Experiences differ: some say they get all short‑code SMS over Wi‑Fi without issue and see this as a carrier‑ or provisioning‑specific problem.

Privacy, tracking, and phone-number dependence

  • One camp claims SMS 2FA is fundamentally about harvesting stable phone identifiers for marketing, tracking, and data brokerage, citing social networks that tie accounts tightly to “real” mobile numbers.
  • Others counter that institutions mandating SMS (banks, healthcare) already have full PII; for them SMS is mostly compliance + vendor convenience, not additional data mining.
  • Blocking VoIP/burner numbers “for security” is seen by some as unjustified and exclusionary, especially when the same institutions will happily robo‑call those numbers with the same codes.

Banks, regulation, and VoIP blocking

  • Multiple users report banks that:
    • Only allow SMS 2FA, no TOTP/WebAuthn.
    • Refuse VoIP numbers for codes, or only allow them via support agents.
    • In some cases permit SMS to Google Voice or similar, sometimes only for older (“grandfathered”) numbers.
  • EU commenters reference PSD2 and SIM registration/KYC as reasons SMS is considered an acceptable “something you have” at scale, despite obvious downsides.
  • Carriers and SMS aggregators offer “line type” and “reachability” APIs; many services pre‑filter or misclassify numbers (e.g., VoIP seen as landline), causing unexplained 2FA failures.

Usability and UX complaints

  • Users describe frequent non‑delivery or long delays of SMS codes, leading to abandoned logins, support calls, and bogus “fraud prevented” metrics.
  • Some banks charge per 2FA SMS; others force SMS for every operation, including from within their own app.
  • Broader complaint: modern login flows are getting worse (multi‑step username→password→code, required SMS/email 2FA even for low‑risk actions), especially compared to smoother alternatives on mobile.
  • App‑only flows (scooters, parcel lockers, hotel laundromats) that demand smartphones, data, Bluetooth, and SMS are seen as fragile and exclusionary.

Rural life, equity, and “lifestyle choice” debate

  • One side dismisses the problem as a consequence of an “eccentric” rural lifestyle that others shouldn’t have to “subsidize.”
  • Others push back strongly: living 10–20 minutes from a city (including tech hubs) with poor cell coverage is common, not eccentric; many older, poorer, or homeless people also lack stable mobile service or smartphones.
  • Several argue that tying essential services (especially banking) to SMS 2FA without alternatives is effectively discriminatory, even if not a legally protected category; others say calling it “discrimination” is a legal and rhetorical overreach.

Workarounds and niche solutions

  • Suggested hacks include: Google Fi (SMS over Wi‑Fi globally), femtocells/microcells and LTE extenders, VoIP numbers that forward SMS to email, USB modems or 4G routers that email codes, SMS‑to‑API “mules,” and leaving a SIM at home in a forwarding phone.
  • Many note these require technical skill, extra hardware, or subscription cost, and thus aren’t realistic for typical affected users—reinforcing the argument that mandatory SMS 2FA is a poor default.