Skip to Main Content
one.network Ideas Portal
Status 📋Registered
Created by Guest
Created on Jul 4, 2025

DO NOT USE SMS FOR 2FA OTP codes - use TOTP apps, FIDO2 keys, or passkeys instead!

I was extremely disappointed to note that the only apparent form of 2FA security supplied on the site, requires me to give you my mobile-phone number, and (without proceeding any further), I'm pretty sure that's because your attempt at 2FA provision involves sending an SMS text message to my phone. Logically, why else would you need my number; conventional (safe) 2FA using TOTP Authenticator apps don't require you to know my phone number, and SMS is the only method where knowledge of a phone-number is involved. By all means, correct me if I'm wrong, but I think I'm on point here.



Why is this an issue? It's not that I have a problem with your knowing my number. It's because 2FA over SMS is a completely flawed, totally discredited method for 2FA provision, because it is wide open to interception and misuse by nefarious parties. Please research this urgently, if you're not already aware. Alternatively, here's a 30-min YouTube documentary by the highly accredited Veritasium/Derek Muller which explains why 2FA SMS is basically useless and unsafe these days: https://www.youtube.com/watch?v=wVyu7NB7W6Y It used to be the case that the biggest risk of 2FA interception came from hackers simply 'social-engineering' phone-companies into erroneously shipping out replacement SIM cards to unrelated addresses as a result of a 'I lost my SIM card on holiday' sob-stories, but thankfully, even the most dimwitted phone suppliers appear to now have gotten the message that this is dangerous. However, the underlying technology involved in SMS based 2FA is hackable - and relatively easily so - without the phone subscriber or the phone service supplier even being aware (as demonstrated in the video).



SMS 2FA is dead, and dangerous. Please don't use it. Please, as a matter of urgency, replace it with AT LEAST an app-based (Google Authenticator/Twilio Authy/Microsoft Authenticator - they all do the same job interchangeably) Time-based One-Time Password (TOTP) system, and/or a hardware key (like aYubikey) that talks FIDO2, or use proper Passkeys, not passwords+2FA-SMS. In some respects, even if you do NONE of those, you're still better off not even bothering with SMS-2FA at all, and leading your users to take the risk. You might think that '2FA-SMS is better than no 2FA at all', and you'd only be half-right; if it leads to a user's identity being stolen, or this and other of their accounts being hijacked, because hackers have somehow gained access to another piece of a person's personal jigsaw as a result of your ultra-weak 2FA methods, then you're potentially culpable, as much as they are, for the outcome!



Thanks for reading this far, and I hope that if you're not the person able to make the decisions on this kind of technology in use at your company, then you'll be kind enough to pass it up the chain to someone in a position of responsibility to get it investigated. I'm not trying to sell you anything, and I'm only bothering to message you in the first place because I'm an old geek who has run out of patience today, seeing yet another reputable firm making 'beginner-level' mistakes in this area, and (for once), thought I'd put 'pen to paper', so to speak.



Suffice it to say, in the meantime, I will not be using your 2FA offering, which grinds my gears immensely, but honestly, better no 2FA at all, than SMS 2FA!

  • Attach files