To understand why we don’t need SMS 2FA, we’ll order the factors from least secure to most secure.
- Password + SMS 2FA
- Password + Authenticator App
- Unique Password
- Unique Password + U2F
*A unique password is a reasonable length, random, and never reused password.
Password – Affected by phishing attacks, credential stuffing attacks, malware, and brute force guessing.
Unique Password + U2F – Immune to credential stuffing attacks, Immune to phishing attacks, affected by some malware but has better odds compared to everything else.
Why Have 2 Factors When 1 Will Do?
Using a Unique Password is better than using a Password + SMS 2FA.
- Is immune to credential stuffing attacks, unlike Password + SMS 2FA.
- When used with autofill it protects against phishing, unlike Password + SMS 2FA.
- Cheaper than SMS 2FA for both the user and the service.
- Helps fix user’s bad habits of reusing passwords.
- Requires fewer steps and complexity.
- Doesn’t require 3rd party support.
A Unique Password protects you from more attacks than SMS 2FA.
|Attack||Unique Password||Password + SMS 2FA|
|Credential stuffing||Not Affected||Affected|
|Phishing||Autofill, Not Affected||Affected|
|Brute Force||Not Affected||Affected|
|SIM Swapping||Not Affected||Affected|
|SS7 Exploits||Not Affected||Affected|
|SMS Reset||Not Affected||Affected|
There is no benefit to have Password + SMS 2FA when a Unique Password is overall better.
Half the reason why SMS 2FA gets implemented is to fix the password reuse problem… but 2FA is not an excuse for password reuse!
Consider The Grandma Test
Having grandma write down 3FD-8DD-AC4B in her password book?
Having grandma remember which one of her reused passwords she picked and what was that app with the 2FA code? Then waiting for the code to come and knowing what to do if it doesn’t come.
- SMS 2FA doesn’t solve the password reuse problem; she continues her bad habit.
- SMS 2FA doesn’t protect her against phishing.
- SMS 2FA is another thing she needs to figure out.
- SMS 2FA is something else for her to lose.
- SMS 2FA is something else that can stop working.
- SMS 2FA creates new points of attack against grandma, for example, SMS 2FA password resets.
SMS 2FA isn’t helping grandma; it’s making it worse for her.
Having grandma write down a generated password is vastly simpler, more accessible, cheaper, and more secure than SMS 2FA will ever be.
Unique Passwords > SMS 2FA + Any Password
There is no benefit to having SMS 2FA when a unique password is an option.
Combined with the fact that you can’t use the internet without a web browser and every web browser offers to save and fill passwords for you, it just makes sense to use unique passwords.
The most popular browser is Chrome, and it works on all devices. Chrome saves, fills, and generates passwords. Google does a better job of securing your account than your phone provider will ever do. Google themselves don’t rely on SMS 2FA due to its vulnerabilities.
Yet, people still fight to keep SMS 2FA.
The only reason to keep SMS 2FA is if you want to track your users. Maybe that’s why it’s still around?
Tavis Ormandy: You don’t need SMS-2FA – https://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html
PasswordBits – https://passwordbits.com/dont-need-sms-2fa/