SECURITY
Let Me Say No to SMS: Why I Want More Control Over My Own Security
We can’t kill SMS authentication just yet, but we could start down the path
Medium no longer pays enough to be worthwhile. Therefore, I am removing my stories from their paywall. If you enjoy my posts, please consider making a contribution, recurring or not. Thank you.
There’s been a recent push to create laws requiring all websites to use two-factor authentication. I don’t know who started it, but as usual, the me-too news sites have grabbed the ball and are running with it. There’s a tiny little problem with a law like that: it’s a horrendously stupid idea.
Why stupid?
Laws like this often focus on adoption, not implementation quality or user control. The danger is that they will mandate 2FA without distinguishing between SMS and a hardware or app-based key.
Laws also seldom think about the future. SMS is a bad choice now, but passkeys and hardware/app keys could become just as bad in the future.
A law that insisted on passkeys or digital keys (hardware or apps) and that allowed SMS as a fallback that users could disable would be helpful, but I doubt that would ever pass.
I’ve learned that some insurers now offer lower premiums or higher coverage limits if companies implement phishing-resistant multi-factor authentication. Others exclude SMS based authentication from their accepted controls for high-risk clients. That’s probably much smarter than a law!
What’s wrong with SMS?
Nothing. Unless some employee at your wireless provider can be bribed to switch your SIM to someone else’s phone number. And that has happened. SMS can be both a safety net and a trap.
But, SMS is built into every phone. No setup, no extra app. Convenience!
Oh, and I just found out that few companies send you SMS codes directly. Nope, they use middlemen — and those companies could scarf those codes to use themselves. Ugh!
So we should ban it?
Eventually, yes. But right now, there are too many phones that won’t use better methods, either because the device is incapable or the owner is too lazy or simply does not understand how to set them up.
And, in some cases, users have good reason to want to share their logins with someone else. They want to use a password only, as any additional authentication may be hard or impossible to share.
More secure methods could lock you out
It happens. If someone loses access to their phone, and doesn’t have SMS, they may be locked out for good. Very early on, I lost access to my iCloud account. At the time, I had nothing there but backups, so I just created a new Apple ID and made sure that could never happen again, so it didn’t matter very much.
But you’ve probably read stories about people losing access to millions of dollars worth of cryptocurrency. In 2022, a Coinbase user lost $90,000 after an attacker used a SIM swap to intercept their SMS 2FA code. They had no other option to protect their account.
Ouch!
Rock and a hard place?
Sure feels like it. That’s why websites keep SMS around — as a safety net in case users lose access to stronger authentication methods.
Google will let you disable SMS for your account — and that’s a good start. But what if some of the sites you use still rely on it? Ideally, services like Google and Apple could offer granular control: allow SMS for these sites, but not those.
Unfortunately, many sites/apps won’t let you remove SMS at all. Even if you’ve set up a hardware key or passkey, they still insist on keeping your phone number on file — often as a recovery method.
But here’s the problem: if someone hijacks your number, and SMS is still active on one of those sites, they can probably reset your password and then log in as you.
Catch-22
Even if the sites give us more control, many people probably won’t dive into fine-grained settings or even look at their authentication policies. That’s okay, but more advanced users should have the power to opt out of bad ones.
Let me say no to SMS where I can, and let me say yes to better options — don’t make a dumb law that locks me into SMS or anything else, no matter how good that feature might be now. Write an intelligent law, a flexible law, a law that considers change. We don’t just need more security. We need better security — on our terms. Let us say no to SMS.
For now, let me decide not to have SMS on my account. Let websites decide against SMS too. If a website decides that not allowing anything but hardware keys is the right decision, let them. It might cost them some customers, but that’s their choice.
