Comment by 🛰️ repeater

Re: "Say no to SMS"

In: u/tenno-seremel

@CarloMonte: If your point is that SMS 2FA is harder to screw up in some sense, then I mostly agree. It's still less secure though, and sim swap attacks are a nightmare.

You should back up your authenticator app in a secure manner, and you should also have recovery codes securely saved. If you do it right—which is not hard with a good app—then an authenticator app is unquestionably a more secure option than SMS.

🛰️ repeater

2025-07-05 · 10 months ago

4 Later Comments ↓

👻 darkghost · 2025-07-05 at 22:16:

I would absolutely adore if my damn banks accepted any other form of 2FA besides SMS. They don't. My email is more secure because it uses an authenticator.

🦔 bsj38381 · 2025-07-06 at 00:16:

I would honestly rather use a 2FA passcode than use typical sms login. (A hardware passcode is a life saver as well too.)

🦋 CarloMonte · 2025-07-06 at 16:04:

@repeater my point was that TOTP-based 2FA using a password manager (not an authenticator APP) which *you* control and which is in *your* backup (data at rest) sounds like a very good idea to me. One can often avoid getting into the situation where one is locked out of basic services.

🦂 zzo38 · 2025-07-06 at 19:26:

I do not really like 2FA so much at all, and it also does not help as much with API keys which often do not use 2FA. I think X.509 client authentication will be better. This allows for many things including partial delegation of authorization, operating on behalf of others (if authorized by them), and the private key can be passworded which means that you can require a second factor. With username/password, the authentication can be stolen permanently; with TOTP, the authentication can be stolen for one minute; with X.509, it cannot be stolen. (For some things, other methods such as HMAC, digitally signed releases, will work better, than using TLS with X.509, though.)

Original Post

☕️ tenno-seremel

Say no to SMS — SMS is simple, SMS is convenient! Or so ðey said. And now I can’t login into anything or confirm anything ðat requires SMS because ðey arrive half an hour late and ðe code is already invalid by ðat time. Niiiiiiice 🐱☕ I wish people stopped pretending login and password is some rocket science ðat nobody is capable of understanding, it only helps corporations to siphon more data 🤷

💬 9 comments · 2 likes · 2025-07-05 · 10 months ago · #internet #SMS