SMS 2FA is not just insecure, it's also hostile to mountain people
223 comments
·May 14, 2025lxgr
zinekeller
> Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.
I can probably illuminate some things here. This is almost certainly the SMS API they're using. Your phone, and your network by extension, does not care if the phone is technically online - so those messages get received because they're literally sending in the blind (and if the recipient is offline, the message gets temporarily stored by the receiving carrier for around 3-7 days before it is discarded).
These SMS OTP systems validate "reachability" (using APIs like https://developer.vonage.com/en/number-insight/technical-det... and https://www.twilio.com/docs/lookup/v2-api/line-status) and will not send a message if a number is 'not' reachable. Unfortunately, as implied by the air quotes, these methods are not infallible. This is done to reduce the costs of sending the message (carriers charge a lot more for commercial customers) but this is definitely stupid for a already-validated number like in this case.
jjice
It really is absurd that the same companies that won’t allow 2FA with any other method outside of SMS are the same ones not sending to VoIP. Maybe they all go through a service for SMS that blocks it, but it still upsets me.
It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.
connicpu
May vary by institution, but both banks I have accounts with also support having a robot call my phone where I can confirm the login. That should at least work with WiFi calling.
BenjiWiebe
I've been using Citi and Discover for years with a Google Voice number. Possibly I've been grandfathered in though?
terinjokes
I could not use my Google Voice number (that I've had since Grand Central) for most companies that only do SMS 2FA until it became my Google Fi number. Then I guess some flag got set in the database they check against.
iszomer
GV still works on BOA to an extent: general balance queries through their app or the web will go through but anything involving identity and real transactions via wire or zelle will ask for your real mobile number. Even if you do happen to visit one of their branches they will ask for confirmation through your real mobile number (landlines will obviously not work).
pxeboot
I think your experience is typical. I use my Google Voice number for everything and have rarely had any issues.
There are a few popular companies that blacklist VoIP numbers, but most don't. Even Chase, which historically blocked Google Voice, started allowing it a couple years ago.
emeril
yeah, I use GV with all sorts of things that don't normally allow most likely as a result of being grandfathered in - i.e., I suspect they don't recheck old active numbers as being invalid per VOIP classifications/etc.
notyourwork
Chase bank used to not work with Google voice. I would have to use email for code. Sometime in last year? it started working.
brewdad
Mine has worked as well but it used to be a landline when I first acquired it many moons ago.
ravenstine
Execs at those companies probably think "Google = good".
unethical_ban
I absolutely cannot stand that no bank I have (US) supports generic TOTP, which is more secure and easier to recover from backup if my phone is broken or stolen.
It's inexcusable.
_bin_
This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.
I really agree with it, but that’s probably their rationale.
lxgr
TOTP is alright for logins, but it's generally very phishable. For transaction confirmation, not being able to tie a code to a given recipient and amount is somewhat of a dealbreaker.
lldb
Although they don't offer TOTP, I've noticed growing support for Passkeys which is a step in the right direction.
fragmede
Fwiw, Symantec VIP is TOTP under the hood, and you can extract the seed with some hackery. There is at least one financial institution in the US that uses that.
fortran77
By brokerage suports TOTP but not my bank. My bank does support Yubikey-type devices though.
yfontana
[dead]
rsync
"port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi"
...
"... unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons ..."
Correct.
This is, in fact, a terrible idea because even if you do find a VOIP provider that can receive SMS from "short codes" (the weird little numbers your bank sends codes from) that is a temporary oversight and will get "fixed" eventually.
Remember:
None of this is for your security or to help you. All of these measures are just sand in the gears to slow down the relentless onslaught of scam/spam traffic.
Your bona fide mobile phone number is a "proof of work" that these providers are relying on in absence of any real solution to this problem.
exabrial
The problem isn't discrimination of SMS number types, it's SMS itself should be illegal, period.
fasteo
>>> I really wish that were illegal. A phone number is a phone number.
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
[1] https://en.wikipedia.org/wiki/Payment_Services_Directive
watermelon0
Anon SIM cards are still allowed in some EU countries: https://prepaid-data-sim-card.fandom.com/wiki/Registration_P...
lisper
> anon SIM are no longer allowed in the EU
Ah. That explains why they asked for my life history when I tried to buy a local SIM in Italy.
exabrial
> SMS is the only 2FA method that can be easily deployed at scale
No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.
dfawcus
> anon SIM are no longer allowed in the EU
Surely Ireland still allows them? If not, they're trivial to source from NI.
_bin_
Phone numbers are used like this because in the Year of our Lord 2025, they’re the best way to semi-solve the Sybil problem even somewhat without having to literally do some kind of KYC
fasteo
>>> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Completely different beasts. One is P2P, the other is A2P
caseyy
I was under the impression WiFi Calling was just regular phone service through WiFi. It seems to work that way for me, 2FA codes and all.
BenjiWiebe
I use Wi-Fi calling on a phone only for 2FA SMS. Never had a problem with it. It was RedPocket (MVNO) with T-Mobile. Annual plan of 200MB, only a few dollars a month. No T-Mobile service here* so only SMS over Wi-Fi works. Only ever used for SMS 2FA.
*The bands acquired with the Sprint merger have service, but the cheap used phone I bought was pre-Sprint-merger and lacked those bands.
LeifCarrotson
She just needs a microcell/femtocell.
Talk to your provider, explain to them you get poor service at your home or place of work, and they'll send you a free Internet-in cellular-out radio AP. She doesn't need a tower-based booster if she's got fiber/cable/DSL, those only serve to amplify weak signals and she's too many miles and too many mountain ridges away from the nearest tower, she wants something with RJ-45 input, a little GPS antenna so the cell supports e911 location data, and it will broadcast LTE (or now 5g) cellular data.
I work at a shop with metal walls located in a river valley. It's a cellular data black hole. People used to climb the hill up the driveway to make and take calls, but various people called their ATT, Verizon, and T-Mobile providers and all three shipped us femtocells. Mow the users and the contractors/customers who come to visit can't even tell that their phones have switched to data over our ISP instead of a tower, it just works - including 2FA codes and MVNOs.
She may have to switch to first-party Verizon service instead of using an MVNO.
lisper
> She just needs a microcell/femtocell.
Those come with their own set of problems. In particular, they have to be able to receive a GPS signal, which is often not possible in mountainous terrain. I had a microcell for years and it was nightmarishly unreliable. Not only would it regularly (but randomly) just stop working, it would give absolutely no indication of why it was not working.
PaulDavisThe1st
They do not have to receive GPS, but it causes issues for e911 service if they do not. It has no impact on anything else, at least not the T-Mobile version.
lisper
The one I had, an AT&T Microcell, which was the only model offered by my cell provider, refused to work without a GPS signal.
kmoser
It seems t-Mobile no longer offers such hardware: https://www.t-mobile.com/support/coverage/4g-lte-cellspot-se...
mikestew
Maybe T-Mobile doesn't need to. I've used their WiFi calling for, what, going on ten years probably. Works a treat, including getting short code SMS. Ergo, I don't know the use case for femtocell for T-Mobile. That's why I was surprised to learn via TFA that WiFi isn't the solution in all cases.
PaulDavisThe1st
We moved to a T-Mobile femtocell precisely because their wifi calling was absolute shit in our experience. Dropped calls, no group SMS, no SMS/RCS images, frequently no calling service at all. The femtocell fixed all of that for us, and it has remained fixed.
Spivak
I'm surprised the major cell providers are cool with letting randos operate cell towers that back into an unknown untrusted ISP and their customers will automatically switch to when in range. It's unbelievably chill for companies that are usually so concerned about their image and controlling the whole experience end to end.
Suppafly
>I'm surprised the major cell providers are cool with letting randos operate cell towers that back into an unknown untrusted ISP and their customers will automatically switch to when in range.
A lot of office buildings have these in them. I think the personal ones are how they get around some of the issues with government requiring them to build networks to certain coverage. They just don't build it out and when someone complains they offer them one of these.
wmf
Femtocells are remotely controlled by the carrier, they require GPS location (and maybe spectrum sensing), and I assume the backhaul is over VPN. Obviously they can't guarantee any QoS but it's better than having no signal.
(Fun trivia: Our office paid $XX,000 for AT&T MicroCells which wouldn't activate because they couldn't get GPS signal.)
zinekeller
Eh, assuming it's 4G LTE (or above), it's literally the same thing as Wi-Fi calling. This is technically called IMS (IP Multimedia Subsystem, https://en.wikipedia.org/wiki/IP_Multimedia_Subsystem), and is powered by "magic" DNS (no kidding, everything points to 3gppnetwork.org) and literal IP + IPSEC. Even when your phone is connected to Wi-Fi, it enters a special mode called IWLAN which powers your Wi-Fi calling, SMS, and RCS. The only actual factor here is if the ISP that you have versus your mobile network has a good peering.
kotaKat
No, in this case the consumer femtocells on the market (AT&T Cell Booster, Verizon LTE Network Extender) are actual eNodeBs inside the carrier’s RAN. They will IPSEC tunnel back to a security gateway (SeGW), grab provisioning information, and then come up on the carrier’s commercial license as just another (fancy low powered) LTE radio on the network.
AT&T did try to add some additional tamper switches and protection inside their units so they’d brick if you opened them - that was known since the MicroCell era. I believe T-Mobile’s former CellSpots were also tamper-protected in the same manner (they both deployed Nokia LTE small cells).
AT&T also appears to now charge you for the privilege of deploying the newer Cell Booster Pros if you want 5G - I assume that cost ($30/mo per cell!) is basically covering licensing the backend for all of that.
Wi-Fi Calling uses a different SeGW endpoint and is pure IMS back to the carrier voice network, regardless if you shoot it over WiFi or back over a dedicated APN on the LTE network in the normal VoLTE fare.
parliament32
If the device is remotely managed and all IPSEC back to the carrier, who cares what network it's on? At worst you'd just get poor connectivity, I don't think there's any additional exposure here.
nelblu
Some of the comments pointed out that this is hostile behaviour for people roaming as well, and I completely agree. Here is my solution for this : When I am roaming internationally, I leave my SIM card in a spare android at home plugged into a charger. Android has an app that forwards SMS to API : https://f-droid.org/packages/tech.bogomolov.incomingsmsgatew.... Every time I receive a SMS I forward it to this API. The API in turn emails me the whole message.
I have been using this setup for a few years now without any issues. Even when I am not roaming, I still have this setup on my primary phone. So when I am on my computer and need a SMS OTP I don't need to go find my phone, I receive it in email :-).
(Note : This doesn't work with MMS but I don't need them anyway)
rsync
"When I am roaming internationally, I leave my SIM card in a spare android at home plugged into a charger. Android has an app that forwards SMS to API ..."
This is called a "2FA Mule":
https://kozubik.com/items/2famule/
I have done this for 4+ years now and it works wonderfully. Good for you!
pauldino
I did something similar where I left an old Android phone at home and logged in to what I think used to be messages.android.com (now google.com) from a laptop praying the session wouldn't get lost before I got back from my trip. :)
Lately though, SMS works over WiFi calling and usually if I need a real SMS where Google Voice won't cut it, it can wait for WiFi...
lldb
If your phone supports WiFi calling and dual SIM, you can get a data-only eSIM for the country you're visiting and you'll receive texts for your primary line over the data connection of the secondary eSIM.
barbazoo
Looks like this might stop working soon unless this process works without logging into the phone: https://mashable.com/article/android-smartphones-automatical...
apexalpha
I’m sorry how is this related to roaming?
I roam all the time in Europe and have roamed a lot outside of it, I have never had any trouble receiving any SMS?
nelblu
Technically you are right, the SIM card isn't roaming, but I am physically roaming outside of my home network (internationally).
Some phone plans in my home network do not support international roaming, or if they support then it is ridiculously expensive that it doesn't make any sense to take the phone roaming.
modeless
Google Fi can receive all SMS 2 factor messages on Wi-Fi including short codes. It doesn't even require that your phone is on, you can get them in any web browser on any device even if your phone is destroyed. One of my favorite features.
You can get service starting at $20 per month. Fi used to have good service in some mountain areas too, with US Cellular. Not sure what's going on with US Cellular right now though. Some kind of half acquisition by T-Mobile.
Ozarkian
I have been living outside the United States for twelve years.
I always had problems with SMS until I got Google Fi. And that's a problem because, as the article here says, many banks insist on SMS these days. There are various services that give you a virtual number. But they always suffer from one of two problems: (1) VOIP numbers are 'blacklisted' by some banks for security reasons: they want a real cell phone number (2) I simply don't get SMSs in some cases some technical reason
Google Fi works everywhere. Even when there is no cell phone service: it will tunnel over WiFi.
Google shuts off the data on Fi after you've been outside the USA for a month. No problem, I'm happy to pay $25 a month for a 'dataless' connection that gives me SMS and voice.
cge
>Google shuts off the data on Fi after you've been outside the USA for a month. No problem, I'm happy to pay $25 a month for a 'dataless' connection that gives me SMS and voice.
To be somewhat more specific: while I travel extensively and am in the US often, I am often outside of it for more than a month at a time, and it appears that Google will shut off data outside the US if you use data outside the US for too long. If you are using a different SIM for the primary data connection, it appears that they won't even if you have it enabled as a backup.
arccy
compared to prices for the rest of the world, you wouldn't want to use Fi for data anyway... just get a local or even "travel" esim and run with dual sims.
devoutsalsa
I’ve found that it’s easy to data-only eSIM package through an app store app such as Saily, but it’s harder to find a service that gives you a “real” phone number when traveling internationally. Any recommendations?
throw7
Are you able to use rcs and "messages for web"?
The last time I checked if you wanted "cellphone is off" texting/voice (basically the old hangouts), you had to enable "fi syncing" which disabled rcs features. Is that still true? What url do you goto to do texts/voice? (i see hangouts.google.com redirects to google chat).
modeless
Yeah no it still disables RCS which is super lame now that iPhones finally support it. I hope Google gets around to fixing it someday. I'm not holding my breath. I'm just happy they didn't kill the feature when hangouts died. The URL changed, it's now https://messages.google.com/web/
stackskipton
Something somewhere is always hostile to particular group. That's just facts of life. You do your best to minimize but can never eliminate it.
As someone who has dealt with 2FA support, all the methods suck.
SMS 2FA is least secure but has broadest support with quickest recovery method.
TOTP Applications (Google Auth, Authy, iOS Passwords) is more secure but people switch phones, lose phones and so forth and recovery is always a nightmare.
Yubikey and like have cost problem and you still have recovery problem.
A clear solution in my mind is having the Federal Government run some form of centralized hardware based system where hardware could be replaced by government office after verifying identity. Government does this already for DoD CaC cards. However, in the United States, Privacy Advocates would lose their minds, and funding would constantly be under attack.
So yea, I get SMS 2FA is hostile to mountain people but 2FA is hostile to login services and executive yachts.
nine_k
> Privacy Advocates would lose their minds
Privacy of authentication may be a valid concern (e.g. during voting), but I don't see how it applies here. If what I want is to confirm to the bank that I am who I am, with all the details about me that I have told the bank already anyway, I very clearly and openly forfeit my privacy. I explicitly ask to be precisely identified.
Neywiny
Much agreement with the others that there's too much expectation. I rented a lime scooter for the first time last year. But, I messed up my VPN settings so I had no Internet. There was no way to tell the scooter I'm done. Even though it was stopped, no button to end the ride. They refunded me the extra time (which was maybe 5 of the 10 minutes) because they could see it was just stopped at a bike rack on gps. Idk what I'd do if my phone died or any other reasonably possible things when you're out and about and on a scooter.
TonyTrapp
Reminds me of DHL parcel lockers in Germany. The new ones don't have a screen anymore, so you are forced to use their app to use the locker, which somehow requires both a working bluetooth connection to communicate with the locker, AND you need a working internet connection on your phone. What's the point of that?! The parcel locker evidently already has a working internet connection, that should be enough.
ncpa-cpl
Reminds me of a cashless hotel laundromat that I had to use that didnt accept coins, tokens or had a credit card reader. So to wash my clothes I had to find a charger to charge my phone, download an app, being able to receive SMS 2FA while roaming which is a hit or miss depending on roaming agreements, having working internet connection, enabling Bluetooth and Bluetooth Nearby Devices, and then top it up with a foreign credit card. It took about 30 minutes to set it up.
I guess this would be easier in a beighbourhood laundromat with local clients, but in a hotel with many foreigners it becomes a pain with so many dependencies needed to use the washer and dryer.
lxgr
Are you sure that the locker has an Internet connection?
Requiring Bluetooth and an Internet connection on your phone suggests that that's exactly what they removed on their side. Quite clever, if true – why pay for network connectivity if you can just piggy back on your customers'? (Nevermind those customers without a smart phone and data plan...)
TonyTrapp
> Are you sure that the locker has an Internet connection?
Let's put it like this: The old ones (with a display) definitely do, because they can send email notifications. I would be very much surprised if the new ones didn't. The main reason for requiring the app isn't connectivity to the outside world, it is that they can save money on the terminal screens, which get vandalized frequently in some areas. The internet connection is probably a fraction of the cost of replacing those touch screens every few months.
dreamcompiler
1. Download the Google Voice app. This phone number works for some but not all 2FA services. Not all, because some explicitly forbid GV numbers because they're afraid of fraud. GV can receive SMS messages over wifi.
2. Ask the cell phone company for a femtocell. These used to be called "AT&T Microcells" and they were cheap. I used one before cell service improved because I live in the mountains. But apparently AT&T don't make them any more and now they cost $2500.
https://www.waveform.com/products/verizon-network-extender-f...
3. Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal; I use it because I find it easier to use my laptop keyboard to type SMS messages than to use my thumbs on my phone.
magicalhippo
4. Get a USB modem and hook it up to a computer somewhere safe that has coverage, and access it via internet.
I'm building the opposite, using the modem and a Raspberry Pi to send me metrics from my cabin, but could easily work in reverse.
While prototyping I had it parse SMS messages I sent it.
Obviously not for everyone but we're on HN here...
lxgr
> Subscribe to mightytext.net so you can get SMS on your computer. I don't know if this works if your cell phone can't get signal
It can't – how would it?
The only entity that can forward texts is the carrier, and I doubt that that service is integrated with all US carriers to somehow get them forwarded (which is technically quite difficult for various legacy protocol reasons).
Apple's satellite messaging service is the only solution I know of that can somehow hook into carriers' SMS home router (or IMS equivalent) infrastructure to intercept and out-of-band forward SMS.
miki123211
> Apple's satellite messaging service is the only solution I know of that can somehow hook into carriers' SMS home router
Are you sure it actually does this?
I thought it was a pseudo-carrier that could speak MAP / Diameter, and just pretended you were roaming with them when you used satellite connectivity, perhaps with the original carrier's knowledge and consent.
As far as I understand, that's how this kind of service usually gets implemented.
lxgr
I assumed that that's how it works because I couldn't think of any other way to achieve the observed behavior, but pseudo roaming sounds plausible too, and presumably requires much less work on the carriers' side!
Would that approach also allow the extra functionality they seem to be offering, such as only recently messaged numbers and emergency contacts being able to send messages to satellite users, though? I suppose they could just reject all MT-Forward-SM with sender numbers they don't like?
> As far as I understand, that's how this kind of service usually gets implemented.
Do you have any other examples for solutions like this? Are you thinking of (pre-VoWifi) carrier apps or services that could receive texts, sometimes on multiple devices?
hedora
Sms and signaling system 7 are incredibly insecure. It has to be so it can support scammers that call you from spoofed numbers.
Anyway, it’s probably possible to make a service like that. You might need to route through a country with permissive laws.
lxgr
SS7 is very insecure, yes, but intercepting inbound SMS is still orders of magnitude more difficult than spoofing sender/caller numbers.
Allowing SMS interception without the home network's consent seems like a quick way to get offboarded as a roaming partner.
Loudergood
The real bonus to security here, access to your SMS is protected via MFA.
dfawcus
Isn't SMS 2FA immune to SIM swapping attacks when the SIM is an unregistered PAYG one?
i.e. there is no way to contact the carrier and get the number reassigned to a new SIM unless one first registers the SIM, and hence binds the number to a known identity.
DennisP
I've read a fair number of cases where sim-swapping led to account hacks when the providers got talked into resetting passwords. It happened to a friend of mine. So I would say SMS 2FA is more hostile to people who are able to use it.
kaikai
Oh, this happens to me. I didn’t even realize that’s why I wasn’t receiving some sms codes, because sometimes it works and sometimes it doesn’t. I live in a rural area and have spectrum for both wifi and mobile (just like the woman in the article). I have some cell service, but depending on how strong it is in any given day am usually relying on wifi for calling and sms.
SMS codes have been hit or miss, and this explains it well.
miki123211
This made me wonder whether it would be possible to build a Wi-Fi-only, roaming-only carrier for computers.
Your carrier is already capable of redirecting your SMS messages to other carriers, that's what they do when you're abroad and roaming with a foreign operator. You could make a fake carrier that speaks the right protocols on the roaming side, but communicates with the customer over the internet (using an API or a proprietary app) instead of LTE or GSM.
This would essentially work like an SS7 redirection attack, but with the full knowledge and consent of the "victim." You could alleviate the security impact here by requiring SIM card authentication, just like a normal carrier does, which could be performed through the internet and an USB reader just fine.
Carriers would probably hate this and might not be willing to sign roaming agreements with such a company. I wonder whether a gray-hat route would be possible here, especially if the company was outside US jurisdiction.
Marsymars
> This made me wonder whether it would be possible to build a Wi-Fi-only, roaming-only carrier for computers.
This has been essentially been tried multiple times, e.g. by FreedomPop and Republic Wireless.
immibis
> Carriers would probably hate this and might not be willing to sign roaming agreements with such a company.
This is THE problem with your idea. Congress would have to pass a law forcing them to do it, or they won't.
You'd probably have more luck physically keeping someone's SIM card, keeping it installed in a phone, and watching for new texts. Perhaps you could make a box that simulates 10 phones at once.
Calwestjobs
TOTP, HOTP.
SMS needs your number, your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.
gruez
>your data is more valuable if marketers can assign your real name to your data. or aggregating all data about you, phone number helps with that.
This is mostly a red herring because most of the places that require SMS TOP already have your full name/address (eg. financial institutions, healthcare providers) or are in a position to intercept communications that they can infer that information (eg. google). If apps/sites like tiktok wants my phone number for 2fa, they can fuck off, or get a burner number.
globie
I don't understand how this post stacks up against the myriad of communications apps that not only require phone verification when creating a new profile (and maybe SMS2FA), but put great effort into blocking as many VoIP/burner/prepaid numbers as possible.
"Most"? maybe "a troubling few"?
Phone verification is absolutely a widely exploited data mining opportunity, I don't see how it's a red herring at all. It's one of the worst surveillance mechanisms we live with today, only partially waved away with the 2000's concept of burner numbers.
PaulHoule
To single out Meta properties, I'd point to both Instagram and WhatsApp. It was an official policy early on that you could only create a WhatsApp account if it was connected to a "real" cellular number, I think the same has been true about Instagram for a while in that every time I tried to create an account without a cellular number it didn't work. Put in a cellular number and it worked just fine.
Calwestjobs
yes marketer gets your name from bank etc, you can not lie there about your name. and everywhere else, your data is connected just your number.
same problem with signal messenger or facebook messenger building databases of numbers and contacts. neo4j clone from palantir.
lxgr
Neither TOTP nor HOTP provide "what you see is what you sign" property, unfortunately, which can be critical for bank and other transactions.
"Enter this code only if you want to pay <amount> to <merchant>" is much more secure than "enter your TOTP here", which is a lot like issuing a blank check in comparison (and in fact required by regulation in the EU, for example).
Not even WebAuthN provides that property on a compromised computer; for that, you'd need something like the SPC extension [1] and a hardware authenticator with a small display.
That's unfortunately why we're currently stuck with proprietary bank confirmation apps that can provide it. I really wish there was a vendor-neutral standard for it, but given how push notifications work (or rather don't work) for federated client apps, I'm not holding my breath.
Calwestjobs
only system which does it securely is bitcoin cold wallet / offline computer signed transaction
or as you pointed out, signing it on smartcard with keypad reader.
but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline.
and there is no way for attacker to MITM, and here lies the problem. companies can not blame you as easily as with currently deployed technologies... they hide breaches all the time, f... PCI
vanburen
Yeah this is a big problem. I have been sent 2F messages via WhatsApp by some services (e.g. PayPal).
This isn't great, but better then SMS and having to have a separate app for each authenticating service though.
A vendor neutral service would be a lot nicer.
> other options available to her include
> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.