top | item 43987515

(no title)

fasteo | 9 months ago

>>> I really wish that were illegal. A phone number is a phone number.

European speaking. For completeness:

Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)

Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.

I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)

[1] https://en.wikipedia.org/wiki/Payment_Services_Directive

discuss

watermelon0|9 months ago

Anon SIM cards are still allowed in some EU countries: https://prepaid-data-sim-card.fandom.com/wiki/Registration_P...

wkat4242|9 months ago

Yes in the Netherlands they're still anonymous

lisper|9 months ago

> anon SIM are no longer allowed in the EU

Ah. That explains why they asked for my life history when I tried to buy a local SIM in Italy.

lxgr|9 months ago

Ironically, this is only true for prepaid SIMs. As a result, in some EU countries it's easier to get a month-by-month postpaid plan – sometimes there's no KYC at all for these...

dfawcus|9 months ago

> anon SIM are no longer allowed in the EU

Surely Ireland still allows them? If not, they're trivial to source from NI.

wkat4242|9 months ago

Yes the problem with UK ones though is that they route all the traffic through a prude proxy if you don't register. Because the UK is getting back to the Victorian era.

I had a SIM from three Ireland that tried to apply this UK policy also on the republic of Ireland customers where this is not required. It was unusable, it blocked pretty much everything it didn't recognise like VPNs, even email servers. Luckily there's many sane providers there too. And no they don't require registration.

exabrial|9 months ago

> SMS is the only 2FA method that can be easily deployed at scale

No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.

kgen|9 months ago

What's the theater with sms 2fa? That is more secure than not having it enabled no?

genevra|9 months ago

What's the actual method that can be easily deployed at scale then?

lxgr|9 months ago

> Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)

I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.

And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...

> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.

The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)

> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)

All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s