If you are a SaaS provider or bank, and you let password resets happen by SMS, you are a threat to your customers.
Stop doing this.
First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Second, prefer TOTP as the MFA, not SMS.
Third, if you absolutely have to do SMS for some dark pattern "harvest my customers' phones" reason, use it exclusively as a second step, never as an only factor.
* For most customer firms using M365 or Google accounts, if you couple accepting OIDC with a domain validation to the customer's email address, you don't have to do SSO/SAML, since OpenID connect + domain accomplishes roughly similar goals on both sides without the per client company configuration overhead or "SSO tax": https://sso.tax/
It is absolutely not a no-brainer to use Google/etc accounts instead of handling that oneself. The last thing we need is an Internet which is unusable to anyone who chooses not to have (or gets banned by) big tech companies. I myself refuse to use the federated login option because I value the ability to not tie my entire life to my Google account.
I'm pretty sure you didn't have the "for most users" qualification when I first replied. I may be mistaken, but I don't remember seeing it at any rate.
there are plenty of options for 2 factor apps that don't require login. in fact, even Google's authenticator app does not require you to login. you can use it locally and store the codes locally.
> if you absolutely have to do SMS for some dark pattern "harvest my customers' phones"
I had a bank that asked for my phone number when I sign up, and I gave them a landline number that is not capable of receiving SMS. Some years later, without any input or authorization from me, they decided to enable 2-factor using this landline number. It was super annoying.
My other bank accepts Yubikey. I wish more banks would do this.
> First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Thanks but no thanks, the last thing I want is for Google to be in the chain for something as vital as banking. One false signal in Google's AI model and you're permanently fucked. Or someone compromising the email account (not just credential stuffing but e.g. cookie theft).
> Second, prefer TOTP as the MFA, not SMS.
People loathe app-based (or, even worse, RSA token-style) OTP, especially if they lose their phone or it becomes permanently damaged you're fucked unless you made a backup.
SMS in contrast? Even your 80 years old grandma can use that, and most common failure modes (i.e. stuff requiring support from you) are handled by the telco.
If you use SSO for a consumer account, you still need to provide a way to reset the account when the identity account is no longer available. That reset path is still most likely the weakest link. Not to mention that some of the identity providers will allow reset with only SMS, and once someone gets in there, now they're in everywhere.
I still like it for corp SSO though; you can force corp accounts to SSO only with no recovery, and you can force the corp account recovery to be difficult.
My bank offers 3 choices for MFA; not sure which of #1 and #2 is more secure:
1. Password + SMS one-time-password
2. 4-digit pin + 6-digit TOTP
3. No MFA
They do, at least, offer the option of disabling automatic password-resets via SMS code, but I know from experience that you can authenticate yourself to a CS rep with just name, SSN, and a SMS code, and presumably a CS rep can reset your password.
Not until I can backup a passkey without Apple or Google acting as the steward. I need a system where I know that if my phone is lost, I can restart my digital identity without a tech giant.
I have mine in Bitwarden but I didn't think carefully through this, I just used what I had. It looks like Vaultwarden hasn't yet added support so you can't rehost without Bitwarden but you don't need Apple or Google.
The alternative is to educate the users. People use SMS because they've been coerced into believing it is secure, and had the wool pulled over their eyes for $reasonsToGetYourData.
Educate me please, if I value availability, are there any options better than SMS?
OIDC means your digital life is destroyed if Google ever decides to ban you. And they are well known to do so, and there is normally no recourse once you are banned. You have to be either brave or stupid to trust your security to tech giants.
Passkeys, TOTP are vulnerable to your device getting lost or broken, something that can also happen a lot.
Sadly, if you want things to work no matter what, SMS are your best bet.
Ok, I honestly don't know—is there a way to use this to secure access to an account generally, without having access to the password? I.e. do authentication providers use phone as a sole method of identity verification for any major service?
Honestly even TOTP is negligent to support at this point.
TOTP is phishable, and the root secrets are stored in most TOTP apps (including Google Authenticator) in plan text, usually in SQLite, because almost no enclaves support the TOTP algorithm.
The only hardware devices that -do- support TOTP like Yubikeys or Nitrokeys also support WebAuthn in which case just use that.
A hard requirement of Virtual Passkeys and hardware WebAuthn devices should be a bare minimum for auth security in 2024.
Passwords and one time codes are phishable 90s solutions to the problem and it is nuts they still are so dominant.
TOTP is a compromise, like everything in security, and one that’s fairly secure. Until we reach a point where hardware tokens or virtual passkeys become mainstream (and their related usability issues addressed), we will be stuck with the “something you have” factor needing to temporarily move into the “something you know” factor via the the TOTP. The fact this expires within 30 seconds makes the attack vector more limited, also unlike an SMS code that providers use to verify you while on the phone with them, you never give this code out (found on a separate app) to a person on the phone, which helps separate this particular factor from SMS.
The truth is that, while it offers superior security, hardware tokens and virtual passkeys are not accessible to the masses one way or other. This is a problem that should eventually be solved but nearly all prior attempts cannot supplant the ubiquity of passwords.
Passkeys are easier to use, harder to lose, and more secure than TOTP or passwords in every way. If you have a web browser from the last couple years you can use a passkey.
You do not often get a win that clear in security. It is a no brainer to mandate for users today, and stop wasting customer support hours on dealing with accounts compromised by phishing.
Stop doing this.
First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Second, prefer TOTP as the MFA, not SMS.
Third, if you absolutely have to do SMS for some dark pattern "harvest my customers' phones" reason, use it exclusively as a second step, never as an only factor.
* For most customer firms using M365 or Google accounts, if you couple accepting OIDC with a domain validation to the customer's email address, you don't have to do SSO/SAML, since OpenID connect + domain accomplishes roughly similar goals on both sides without the per client company configuration overhead or "SSO tax": https://sso.tax/