There's No Such Thing As "SMS Security"

Dateline Toronto, 4th May 2023.Twitter announced that it will only allow its users to secure their accounts with SMS-based two-factor authentication (2FA) if they pay for a Twitter Blue subscription. This surprised a number of people (eg, Davey Winder here in Forbes) for a number of reasons. First, and most obviously, because making people pay for security could backfire because they many users will not pay and (there will therefore be more account takeover) but secondly, and more surprisingly, because as has been obvious for years, no-one should be using SMS for “security” in any circumstances: Not banks, not fintechs, not payment companies, not governments, not anyone.ShareSMS was deprecated as an authentication more than a decade ago. Here is what the US Department of Commerce’s National Institute of Standards and Technology (NIST) said about out-of-band (ie, 2FA) authentication in their Digital Authentication Guidelines back in July 2016: SMS is deprecated, and will no longer be allowed in future releases of this guidance. I remember that at the time I looked up “deprecated” to make sure I understood the nuance, since I assumed it meant something other than a general disapproval. According to my dictionary it means “(chiefly of a software feature) be usable but regarded as obsolete and best avoided, typically because it has been superseded: this feature is deprecated and will be removed in later versions”.)Anyone who uses the phrase “SMS security” clearly does not understand the subject.Charles Brookson, then the head of the GSMA’s security group, made this…There's No Such Thing As "SMS Security"