Let's Ban SMS 2FA
SMS 2FA is like playing security roulette, and nobody seems to care.There, I said it.
Now that I’ve got that out of the way, let’s talk a bit about why we should actually ban SMS 2FA.
A quick note: I’ve rewritten this post to present a more balanced view of the topic. You can find the old version on the Internet Archive.
The problems
SMS 2FA is something of a paradox in and of itself. Two-factor authentication is generally positioned as a way to increase your security; however, SMS messaging is inherently insecure, since it is unencrypted and SMS messages are publicly broadcast wirelessly. This means that bad actors who are physically near to you can trivially snoop on 2FA codes that are texted to you.
However, unencrypted message broadcasting is not the only concern here. SIM-swapping is another method that can allow an attacker to gain access to your SMS messages; in this sort of attack, the attacker calls your phone company, claims that they are you, and asks to swap your phone number over to their SIM card. While the FCC is taking action to fight SIM-swapping, it is still very much a relevant attack; in fact, last month (January 2024) the U.S. Securities and Exchange Commission had its Twitter (yes, I’m still calling it Twitter) account hacked in a SIM swap attack.
To be fair, SIM swapping is not a trivial attack. It generally requires social engineering to complete, which makes it less useful for drive-by attackers. However, eSIM swapping is starting to gain popularity. This attack is less complex to complete, as it doesn’t require social engineering the phone company. You just need to get the victim’s login credentials, log into their phone provider account, and swap the eSIM.
Companies don’t care
You might be wondering why this is such a big problem. Sure, SMS is offered as a 2FA method on many sites, but you don’t need to enable it, right? Well, it turns out that platforms like PayPal and Amazon don’t care that SMS 2FA is insecure. If you want to set up any form of 2FA for your account, you are forced to set up SMS as a fallback option. This makes their 2FA support little more than a farce, given that anybody attacking your Amazon or PayPal account can theoretically override your 2FA by intercepting your SMS. The reasoning for this? “If you lose your 2FA device, we’ll text you a code to recover access to your account.”
(A bit more on the account recovery: given a valid email address, PayPal will happily send you a text to verify a password reset, and Amazon lets you reset your password with just a phone number. This means that as long as you know that somebody has an Amazon account that may be linked to their phone number, intercepting their SMS could give you full access to their Amazon account.)
Even for the services that aren’t forcing SMS 2FA down your throat, SMS is still presented as an option on many sites. Its ease of use undoubtedly has led many people to say “Oh, I’ll just use SMS since it’s easier”, which leaves those people more vulnerable to attack.
Having said this, I must offer a commendation to Twitter. In 2023, they disabled SMS 2FA for anyone not subscribed to Twitter Blue, citing its insecurity as the reason. I’d prefer if Twitter had disabled SMS 2FA across the board, but even if they left it as an incentive for people to pay for Twitter, it’s still a welcome change.
It isn’t that hard to fix
Now, some people might start complaining that changing their SMS 2FA deployment will be a huge technical problem. No, it won’t. Companies have several options here:
- Use TOTP; adding TOTP support is going to be fairly trivial, since it only requires an algorithm to calculate a code based on the original secret value (you’ll probably also want to throw in a QR code generator, but that’s technically optional). And it’s not like you’ll have to roll your own implemention; GitHub is full of TOTP libraries (and apps). This does require the user to install a TOTP app, but there are many trusted TOTP apps available, so that shouldn’t be a big problem.
- Use passkeys, the latest and greatest in 2FA security. Passkeys are (as far as I can tell) sort of a software-defined WebAuthn key that operates like a hardware security key (as an aside, apparently Yubico stopped making these in blue). They are supported by modern browsers and phone operating systems, not to mention password managers like Bitwarden, and are generally designed to be extremely simple to use. Users generally shouldn’t need to install any extra apps to use passkeys.
- If your 2FA flow is hardcoded in such a way that you have to use an SMS-like flow where you send the user a message containing a one-time code which the user must repeat back to you, you can at least swap SMS for a different service. Some platforms support email, but you could also use something like end-to-end encrypted Matrix chats, or you could even bake a 2FA sending service into your app the way GitHub does. If you really can’t drop SMS, at least try to upgrade messages to RCS whenever possible. (If you are using Twilio Verify, you are already being automatically upgraded to RCS.)
What we can do about it
How can we combat SMS 2FA? It turns out that there’s a surprising amount of things you can do.
- Disable SMS 2FA for any account that will let you turn it off. Obviously, you’ll have to keep SMS 2FA on for Amazon and PayPal, but at least reduce your usage of SMS 2FA as much as possible.
- Write to companies that force SMS 2FA and ask them to remove it.
- Tell others about the risks of SMS 2FA. The more people know about this risk, the less the chance that one of them will fall victim to a SIM swap.
- If you work at a company that has SMS 2FA deployed, ask them to remove it from your product. This is especially true if you work at PayPal, Amazon, or anywhere else that could be a likely target for attackers. This includes banks (yes, my bank forces SMS 2FA, and no, I’m not happy about it).
- If you live in the US, write to your congressman to urge him to introduce legislation banning the use of unencrypted message-based 2FA (and mention the SEC Twitter hack to show that the government is susceptible to this attack). If you don’t live in the US, write to whoever represents you in your government (e.g. EU residents can write their MEP). While this may seem like a bit of a long shot, it’s possible that your message could result in an actual law. EU residents are especially likely to succeed, given the EU’s historical stance on legislating sane tech laws (i.e. the GDPR and the DMA).
- Share this post, or if you have your own blog, write your own post on this subject! The more publicity this issue gets, the better.
The part where I backtrack a bit
Having said all of this, is SMS 2FA completely evil? The answer is actually complex. First, while SMS 2FA is insecure, it is better than no 2FA at all, since it can function as a deterrent to a casual hacker. Second, it is user-friendly. TOTP, passkeys, and physical security keys all tend to be more effort to learn to use than a simple SMS verification scheme. To successfully remove SMS 2FA, we’ll have to educate the general public on how to use the alternatives or create a truly simple-to-use alternative. I do think that passkeys could become a good solution, however, as device and browser makers have put a lot of effort into making them a seamless option.
Conclusion
I hope you enjoyed reading this little rant here. Hopefully, you were inspired to take action in some way to help remedy the SMS 2FA problem. If you sent a letter to your government representative or started a discussion at your company to try to remove SMS 2FA, please leave a comment below! If this post gathers enough attention and people start logging their actions below, I’ll create a page tracking all our SMS 2FA shenanigans to help keep tabs on the situation.