> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.
> Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.
I can probably illuminate some things here. This is almost certainly the SMS API they're using. Your phone, and your network by extension, does not care if the phone is technically online - so those messages get received because they're literally sending in the blind (and if the recipient is offline, the message gets temporarily stored by the receiving carrier for around 3-7 days before it is discarded).
These SMS OTP systems validate "reachability" (using APIs like https://developer.vonage.com/en/number-insight/technical-det... and https://www.twilio.com/docs/lookup/v2-api/line-status) and will not send a message if a number is 'not' reachable. Unfortunately, as implied by the air quotes, these methods are not infallible. This is done to reduce the costs of sending the message (carriers charge a lot more for commercial customers) but this is definitely stupid for a already-validated number like in this case.
> carriers charge a lot more for commercial customers
I've been used to unlimited free SMS for so long now (though I remember the days when it was limited), I forgot that commercial customers get charged for these
It really is absurd that the same companies that won’t allow 2FA with any other method outside of SMS are the same ones not sending to VoIP. Maybe they all go through a service for SMS that blocks it, but it still upsets me.
It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.
May vary by institution, but both banks I have accounts with also support having a robot call my phone where I can confirm the login. That should at least work with WiFi calling.
I absolutely cannot stand that no bank I have (US) supports generic TOTP, which is more secure and easier to recover from backup if my phone is broken or stolen.
This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.
I really agree with it, but that’s probably their rationale.
Banks didn't support TOTP long before we were able to easily sync them across devices. It's likely more along the lines of banks generally have bad IT departments and outdated digital security policies.
That same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.
I do the same, and it somewhat defeats the spirit of 2FA, but I still believe it's more secure. It's basically a second password where intercepting it in transit once isn't enough to be able to repeat the login in the future.
My bank sends me 2FA codes in their app, which I then have to type into... their app. No kidding. Both the key and the validation in the same place, really ridiculous. Even something as crap as SMS 2FA would be better. TOTP or FIDO2 would be miles better.
TOTP is alright for logins, but it's generally very phishable. For transaction confirmation, not being able to tie a code to a given recipient and amount is somewhat of a dealbreaker.
Fwiw, Symantec VIP is TOTP under the hood, and you can extract the seed with some hackery. There is at least one financial institution in the US that uses that.
USAA. Better than nothing, but since it doesn't do push notifications it's a needlessly proprietary piece. It's probably a combination of legal and a slow IT infrastructure.
There is at least one major US bank that supports Yubikeys and a different major that one supports (with some convincing) phone notification-based second factor.
I could not use my Google Voice number (that I've had since Grand Central) for most companies that only do SMS 2FA until it became my Google Fi number. Then I guess some flag got set in the database they check against.
>I could not use my Google Voice number (that I've had since Grand Central) for most companies that only do SMS 2FA until it became my Google Fi number. Then I guess some flag got set in the database they check against.
I was wondering about that, because I can't get google voice because I have google fi, so clearly it's using the same bank of numbers, but maybe once they are fi, they are ported to T-mobile instead of their own CLEC.
Yeah, I think that restriction was due to that extremely strange way of using Hangouts (remember that?) as a possible backend for both Google Voice and Google Fi text messages.
yeah, I use GV with all sorts of things that don't normally allow most likely as a result of being grandfathered in - i.e., I suspect they don't recheck old active numbers as being invalid per VOIP classifications/etc.
GV still works on BOA to an extent: general balance queries through their app or the web will go through but anything involving identity and real transactions via wire or zelle will ask for your real mobile number. Even if you do happen to visit one of their branches they will ask for confirmation through your real mobile number (landlines will obviously not work).
I think your experience is typical. I use my Google Voice number for everything and have rarely had any issues.
There are a few popular companies that blacklist VoIP numbers, but most don't. Even Chase, which historically blocked Google Voice, started allowing it a couple years ago.
Ah, I always assumed Google uses Bandwidth.com completely transparently – I wasn't aware there's a separate level of "line provider" look-up available. Thank you!
There must be something unique about my GV number. It's even allowed on WhatsApp (knock on wood).
I registered it about 13 years ago. I didn't transfer it from a landline/cell phone, it was picked from a list of Google Voice numbers available in my area code. I've never had Fi.
We actually had it that way on accident in a few of our applications - we had a `#isTextable(e164)` function that would do a carrier lookup and voip carriers sometimes returned as landlines or as arbitrary values that didn't mean mobile. We eventually did some work to refine that function to be smarter and actually better represent if the number was textable. At least for us, it wasn't a conscious decision, it was a gate being aggressive in our SMS pipeline.
> It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.
It never ceases to surprise me how much American banks always seem to lag behind with regards to payment tech. My (european) bank started sending hardware TOTP tokens to whoever requested one like a decade ago. They've since switched to phone app MFA.
>>> I really wish that were illegal. A phone number is a phone number.
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
Ironically, this is only true for prepaid SIMs. As a result, in some EU countries it's easier to get a month-by-month postpaid plan – sometimes there's no KYC at all for these...
Yes the problem with UK ones though is that they route all the traffic through a prude proxy if you don't register. Because the UK is getting back to the Victorian era.
I had a SIM from three Ireland that tried to apply this UK policy also on the republic of Ireland customers where this is not required. It was unusable, it blocked pretty much everything it didn't recognise like VPNs, even email servers. Luckily there's many sane providers there too. And no they don't require registration.
Possibly less secure, considering the existence of sim-cloning crime rings. SMS 2-factor potentially gives a hostile actor a way to 'prove' that they're you.
I'd argue that there isn't one: you have to offer multiple choices. Auth through any TOTP app, Yubi key, pre-generated codes, mailing a physical code generator, etc.
> Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.
And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...
> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)
> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s
Phone numbers are used like this because in the Year of our Lord 2025, they’re the best way to semi-solve the Sybil problem even somewhat without having to literally do some kind of KYC
I use Wi-Fi calling on a phone only for 2FA SMS. Never had a problem with it. It was RedPocket (MVNO) with T-Mobile. Annual plan of 200MB, only a few dollars a month. No T-Mobile service here* so only SMS over Wi-Fi works. Only ever used for SMS 2FA.
*The bands acquired with the Sprint merger have service, but the cheap used phone I bought was pre-Sprint-merger and lacked those bands.
VoWiFi (as Wi-Fi calling is called in the 3GPP specs) is similar to VoLTE, but not all SMS go over VoLTE: Unlike for calls, where there's mandatory VoIP in 4G/LTE and beyond (there is no more circuit switching), there's still a fallback path for SMS that uses legacy signalling instead of IMS (which powers VoWiFi and VoLTE/VoNR).
Maybe there are some SMS gateways that are somehow incompatible with some IMS message gateways? (Theoretically, the IM-SM-GW should be transparent to external networks, I believe, but practically I wouldn't be surprised if some weird things lurked in there, requiring a fallback to the signalling path, which is not available on VoWiFi.)
Unfortunately there are a lot of "is this number voip" services that use various tricks to detect voip numbers, or simply buy this data from the voip provider or someone else in the path.
If nothing else, if a particular voip provider only does voip, you can just put them on a blacklist. You can get any number's provider from the number portability clearinghouse (this might be country dependent, where I live, there's only one, and anyone can query it).
"port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi"
...
"... unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons ..."
Correct.
This is, in fact, a terrible idea because even if you do find a VOIP provider that can receive SMS from "short codes" (the weird little numbers your bank sends codes from) that is a temporary oversight and will get "fixed" eventually.
Remember:
None of this is for your security or to help you. All of these measures are just sand in the gears to slow down the relentless onslaught of scam/spam traffic.
Your bona fide mobile phone number is a "proof of work" that these providers are relying on in absence of any real solution to this problem.
> That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
It pisses me off to no end. I use a few different banks and some are fine with google voice, others are not. One only allows customer service to send SMS tokens to google voice but not through the regular flow. In all but one case, they will happily robo call my google voice number and have a tts engine read me the same code that they didn’t want to SMS.
Why ? I still send SMS. Wifi is not available overall. The Google SMS app is not able to retry sending when connectivity is back and the UI is enshitified, but this is norm in modern software.
> port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
That's generally a great solution – unless the company she's dealing with is one of those that don't send SMS-OTP codes to VoIP numbers for seCuRiTy reasons, or demand that the number is somehow "registered in her name" (which many smaller carriers apparently don't do).
I really wish that were illegal. A phone number is a phone number.
> she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through.
Interesting, I was under the impression that SMS over IMS was implemented transparently to external senders. But given what a hack the entire protocol is, I'm not really surprised.