So, why do almost all banks, in the U.S. at least, only support the worst 2FA authentication method exclusively? And, this article doesn’t mention SIM-swap attacks, which are unavoidable. It can’t be that difficult to support an authenticator app.
#Cybersecurity
I’ve filed about 7 complaints to the Ombudsman where I live for my bank. I refuse to use sms for verification. I blame the bank for limiting my access to my accounts as a result. I’ve spoken to hundreds of employees, for hours and hours, wasted in branch time for hours, spoken with managers, escalated numerous tickets.
I’ve probably wasted more of their time and money, then it would have been for them to just implement 2fa from an app rather than sms…
I’ve proven to them how insecure it is. Employees and managers tell me I’m paranoid for nothing.
I’m so sick of this fight with them. Literally have no idea what else to do other then constantly complain, open tickets hourly and literally waste their time, ruin their metrics and annoy the hell out of anyone that works at the bank. I won’t use sms for 2fa.
I bet its the cheapest and/or easiest to implement. Why do more than the bare minimum, amirite?
^I feel like mine is a bad faith opinion, but I also feel passionately about this and want to ensure your post is getting some level of engagement so it can maybe get some proper discussion going.
A cynical thought: what if it’s actually less risky to make 2FA someone else’s fault when it fails, rather than worry about ever having to be held accountable for an insecure implementation they created.
I mean, you’re not wrong, just a hair off. It’s the most universally possible to implement.
Every version of every phone can support SMS, and no one worries that someone is spying on them when they get one.
SMS is a terrible solution, but it’s extremely easy to implement, and very accepted by people at large. That makes it all those things you mentioned, but it’s backed by a very legitimate motivation.
In other contexts this explains part of the popularity of federated signin systems, since users may not trust you, but they probably trust their email provider, and if you can piggyback off their MFA, you don’t have to hope the user will find you special enough to do the extra work.
Dedicated phone apps have a similar advantage, since you can leverage the phones built-in identity management.
Passkeys are currently being pushed very hard by security folks because, if done right, you can make the user more secure while making their sign-in process simpler, and letting them need to remember less and not install or manage anything.
You still have the ultimate issue of the atypical user who is valid and can authenticate, but for whatever reason has decided to only posess the dumbest of dumb phones, and can only accept SMS or phone calls.
I would wonder if they have done the cost / benefit of having to have support staff to help boomers who can’t use a TOTP app vs the cost of covering losses from SIM-swapping attacks. It’s probably a significant amount of money to hire all the people needed to support every grandma who can’t figure out where the six numbers come from.
My CU offers auth app support. Yet my big name options provider doesn’t. It’s so stupid.
Similar on my end.
The main CU I work with will let you verify logons inside their mobile app when logging on from like a desktop (text/call only for mobile logins), but the high yield savings I have at a much larger name bank is text only for 2FA (Which is not a mandatory nor default setting BTW).
What’s everyone’s opinions on verifying logins via mobile apps?
Anything but it being STUCK on my phone. Lose your phone and you’re up shits creek. Reading through my banks info crap about their 2sv, every 2nd paragraph about any issue involves deactivating 2fa, and resetting it all up again.
It’s being stupid. I want 2fs through an authenticator which I have locked down with another authenticator. I also have yubikey for quicker access for certain things.
I love my CU, but their app is an afterthought that tries (unsuccessfully) to use google authenticator. And if you try to call for tech support, you get whatever teller was unlucky enough to answer the phone.
Bless their hearts; they’re trying. And I’d rather give them my business than any for-profit bank.
As much as I despise SMS in general, and 2FA over SMS in particular, I think the risk of SIM jacking in the US is pretty low overall for this use-case, which is probably part of why banks don’t do more.
Add in (as others have said) the cost of proper 2FA and being able to off-load the risk (which is what banks do), and a VP of Risk Management doesn’t have much motivation to drive such a change.
My own anecdotal experience with Sim-jacking and 2FA: I recently ported a number to a new service, properly, with multiple steps to verify I was authorizing the port. It broke every SMS 2FA - I had to login to every account and re-enter the same phone number as my 2FA number. Which required verifying my login with email or another number (that was already in the account).
Oh come on, the US is usually two decades behind modern banking, 2FA over SMS is only a decade behind, so it’s an improvement!
You’ll have 2FA via an app like the rest of us, but in 2034
Now run along and enjoy your chip and pin
