On 4/19/21 05:05, Eric Kuhnke wrote:
One of my main problems with SMS 2FA from a usability standpoint,
aside from SS7 hijacks and security problems, is that it cannot be
relied upon when traveling in many international locations. I have
been /so many places/ where there is just about zero chance of my
T-Mobile SIM successfully roaming onto the local network and receiving
SMS at my US or Canadian number successfully.
What am I supposed to do, take the SIM out of my phone, put it in a
burner and give it to a trusted family member in North America, just
for the purpose of receiving SMS 2FA codes (which I then have to call
them and get the code from manually each time), before going somewhere
weird?
In the pre covid19 era when people were actually traveling places,
imagine you've had reason to go somewhere weird and need access to a
thing (such as your online banking, perhaps?) protected by SMS 2FA,
but you have absolutely no way of receiving the SMS where you're
presently located...
Many of the people designing SMS 2FA systems used by people with
accounts/services in the US 50 states and Canada seem to assume that
their domestic customers will forever remain in a domestic location.
This is a practical problem that I suffer with one of my South African
providers, every time I traveled to the U.S. in the last 3 years. I
could roam on all GSM networks in the U.S., and even make voice calls,
but SMS's would not get delivered. Delivery of those only resumed the
moment I transited in the Gulf on my way back home. This did not affect
other countries I traveled to.
But you are right, most network operators and SMS authentication
designers do not necessarily work together to account for folk that travel.
Mark.