A "more secure" 2FA additional number

irl · August 22, 2021, 12:37pm

Manipulation of SS7 to redirect 2FA messages, taking over WhatsApp/Signal numbers, etc. is a thing that can happen. I imagine that it’d be possible to reduce the likelihood of this happening if you have a second number on your plan that forbids roaming, maybe has additional restrictions too, and attempts to do things that are not expected could raise an alert to the user.

The use of in-app SMS delivery rather than delivery via the mobile network would also allow you to get at messages from an iPad, which otherwise cannot receive SMS.

SMS could be delivered in-app rather than via the phone network, and perhaps later you could get voicemail for it too for those things that talk verification numbers at you.

nick · August 22, 2021, 2:50pm

Would love to do something like this; I think we discussed it somewhere as well.

The challenge right now is that virtual numbers with Twilio, Vonage et al don’t work as 2FA numbers (they can’t send messages between themselves as far as I know). It’d need a deeper integration with one of the host networks, and we’re not quite there yet…

irl · August 23, 2021, 9:22am

I regularly use Twilio numbers for WhatsApp and Signal, I’ve not tried to send messages between Twilio numbers directly in the API but as yet I’ve not had any deliverability issues.

nick · August 23, 2021, 9:34am

I believe it’s only the machine-to-machine messages, so a 2FA SMS sent from one provider to another would fail. I’ll double check this though, and we are going to bring virtual numbers to the app^^

Nathan · August 23, 2021, 2:47pm

OmgShockedGIF

knuckles · August 23, 2021, 2:47pm

is Time-based One-Time Password - Wikipedia not good enough for 2FA? It ticks the box of being app-based with numerous applications to choose from.

nick · August 23, 2021, 2:50pm

It’s excellent, but some companies still don’t provide it

We’ll enable 2FA for our app at some point, and will require something like that instead of SMS^^

Rjevski · August 29, 2021, 11:24am

The problem is not the providers themselves - they can send to themselves just fine (Twilio can for sure, I don’t remember about Vonage/Nexmo but I don’t see why it shouldn’t work).

The problem is that most companies blacklist ranges allocated to VoIP providers. Part of it could be abuse/fraud prevention, but I think the other part is that they secretly use these numbers for nefarious purposes (marketing/advertising) and wouldn’t want people to evade this.

Using lesser-known VoIP providers will typically solve the problem. I’ve had good luck with Andrews & Arnold’s 07 numbers.