Malicious SS7 activity and why SMS should never by used for 2FA

William Herrin bill at
Sun Apr 18 15:02:26 UTC 2021

On Sun, Apr 18, 2021 at 7:32 AM Mel Beckman <mel at> wrote:
> SMS for 2FA is not fine. I recommend you study the issue in more depth. It’s not just me who disagrees with you:


That Schneier article is from 2016. The 3/2020 update to the NIST
recommendation (four years later and the currently active one) still
allows the use of SMS specifically and the PSTN in general as an out
of band authenticator in part of a two-factor authentication scheme.
The guidance includes a note explaining the social engineering threat
to SMS authenticators: "An out of band secret sent via SMS is received
by an attacker who has convinced the mobile operator to redirect the
victim’s mobile phone to the attacker."

The bottom line is that an out-of-band authenticator like SMS is meant
to -enhance- the security of a memorized secret authenticator, not
replace it. If properly used, it does exactly that. If misused, it of
course weakens your security.

Bill Herrin

William Herrin
bill at

More information about the NANOG mailing list