Malicious SS7 activity and why SMS should never by used for 2FA

Mark Tinka mark at
Sun Apr 18 12:44:00 UTC 2021

On 4/18/21 05:18, Mel Beckman wrote:

> No, every SMS 2FA should be prohibited by regulatory certifications. 
> The telcos had years to secure SMS. They did nothing. The plethora of 
> well-secured commercial 2FA authentication tokens, many of them free, 
> should be a mandatory replacement for 2FA in every security governance 
> regime, such as PCI, financial account access, government web portals, 
> etc.

While I agree that SMS is insecure at the moment, I think there still 
needs to be a mechanism that does not rely on the presence of an 
Internet connection. One may not be able to have access to the Internet 
for a number of reasons (traveling, coverage, outage, device, money, 
e.t.c.), and a fallback needs to be available to authenticate.

I know some companies have been pushing for voice authentication for 
their services through a phone call, in lieu of SMS or DTMF-based PIN's.

We need something that works at the lowest common denominator as well, 
because as available as the Internet is worldwide, it's not yet at a 
level that one would consider "basic access".


More information about the NANOG mailing list