Hot take: 2FA through SMS is worse than no 2FA at all

I used to think any extra layer of security was better than nothing. Then I had a client get their SIM swapped last month while we were mid-project. Someone called T-Mobile pretending to be them, ported the number to a burner phone, and drained their bank account through SMS password resets. Took me 3 days to convince them to switch to an authenticator app. SMS is literally just a text message. Any social engineer can grab it. Why do companies still push this as a security feature? Am I wrong here or has anyone else seen this happen?

3 comments

3 Comments

the_patricia8d ago

Hard sell" is putting it mildly. I get what you're saying but honestly I think people are overreacting a bit with this stuff. Yeah SIM swapping is real but it's not like it happens to everyone every day. Most people are more likely to lose their phone or break it than get their number stolen by some hacker. And authenticator apps have their own problems - what if your phone dies or you drop it in a puddle? Now you're locked out of everything. Hardware keys are fine for tech nerds but try explaining that to my aunt who still types her password in with one finger. The real problem is companies that let you reset a password with just a text message in 2024. That's on them, not on the whole concept of SMS.

vera_roberts9d ago

You had them switch to an authenticator app too? I told my client to get a hardware key after their scare, that finally got them to stop using SMS.

felix4888d ago

My client had like 4 different SMS-based phishing attempts in one month before they finally agreed to switch. I got them a YubiKey after their third scare because authenticator apps are better but still rely on having the phone on you. The hardware key thing was a hard sell at first because they thought it was too complicated but after actually showing them how it works they liked it way more than the app.