Ask HN: Why did smartphones become a single point of failure?
i can't log in to any of my banks without my phone. Most of the systems in my workplace also require phone app authentication. I can't do any of those things with just a PC or laptop. Smartphones being the smallest and portable are surely the most lost and stolen. If someone got a hold of my PC or laptop - they would be able to do some damage, but not even close to if they were able to access my phone. Everything everywhere nowadays requires some app.
Nobody knows how to do a failure analysis. I used to work in r&d, now that I’m building websites and mobile apps the culture doesn’t care. Pointing out obvious design limitations will, more often that not, make me the asshole.
Not even trying to delay ship or get future rework scheduled, just having it documented is too much. Out of sight out of mind.
It's not that people don't know it's a SPOF. The issue is that if you fail in a way that is common, nobody blames you. Cell phone 2FA is so ubiquitous that when it doesn't work clients wonder if they're the one fucking up. We had a massive internet outage in Canada recently and nobody blamed individual shops for not being able to take credit cards, they blamed the phone company.
If you roll your own thing, even if it's objectively better, you're painting a target on your back. Now when your new thing fails it's your fault.
There's also something to be said for how modern financial capitalism has squeezed redundancy out of everything. Supply chains are just-in-time, businesses rely on a million vendors for everything, if a single link in the chain fails it usually has a huge blast radius because of broad consolidation in these upstream suppliers. Basically there are a lot of small businesses that depend on like 5 large companies (think Sysco, telecoms, etc) and if those large companies fail every small company fails in the same way, so there's no incentive to derisk (because your competitors will all also be failing in the same way).
You hit the nail on the head
> There's also something to be said for how modern financial capitalism has > squeezed redundancy out of everything. Supply chains are just-in-time,
Hence the automotive/chips and other recent shortages...
Are you implying we should have wasted billions manufacturing extra chips just in case there was a shortage and consumers didn't want to wait a year before buying a new car/truck?
Not wasted. Stocked by automakers, for their own use.
Car manufacturers have the nasty habit of keeping no stock —at all— even of inexpensive stuff like microchips, smd components, nuts, bolts... and ordering everything "just in time", while at the same time maintaining a steel-fisted strangle-hold on suppliers which are obliged to provide them what's needed when, or die.
Someone should probably have a stock, but it is not clear to me that it should be the automakers.
For those components that are used by multiple different automakers (and others) wouldn't it make more sense for the component manufacturers to be the ones stocking?
I'm personally ashamed that auto manufacturers are destroying the environment and making life difficult for all electronics manufacturers because they want to embed literally hundreds of micro-controllers into cars, just so that they can make it break when one single component fails.
This MCH speaker suggests 3 micro-controllers is all it takes to build a fully functional and road-safe electric car, and explains the current situation about auto manufacturing:
https://media.ccc.de/v/mch2022-77-electric-vehicles-are-goin...
>just so that they can make it break when one single component fails.
No, it's also so they can do really important stuff like remotely disabling your heated seats.
So, a couple of companies did actually stockpile chips (Toyota was one IIRC), because it was a component whose manufacturing flexability is pretty minimal. It was financially lucrative for them, since they could sell vehicles at a time where no other manufacturers could.
> Toyota was one Iirc
The irony runs deep with that tidbit.
Maybe it's more that Toyota knows how to right-size their process, while most others are just cargo culting one superficial aspect of the method.
From the parent:
> because it was a component whose manufacturing flexability is pretty minimal
For anyone wondering, just in time was first established by Toyota and other Japanese manufacturers in the 70s and 80s.
For areas it makes sense!
Not every single supply chain in a nation!
Indeeed. Sometimes doing the right thing pays very well. :)
supply could just end permanently. some kind of plan would have bern reasonable in the old days but today?
in de 90's i had a business fail because the phone company never connected my land line (and kept lying about it) it would have failed a lot faster if there wasn't a pay phone in front of the building.
Shops could still fail back on cash a few years ago but now many have a card or a phone to pay and nothing else.
3-4 decades ago regular customers often got credit at their local store, bar or lunchroom.
We seem to increasingly do stuff without a plan B
I don't see anyone demanding a planned economy.
I see people recognizing reality - JIT is efficient but fragile in the face of disruption.
Seems to me the sensible thing to do would be to recognize that for what it is and try to strike the right balance in an uncertain world. Even if your concerns are strictly commercial, a couple points margin in good times is unlikely to balance a year of massively screwed up supply chains.
Even the progenitors of JIT did not advocate for zero warehousing - they advocated for not warehousing components which could be manufactured on demand.
Chips do not fall into this category.
What makes you think the right balance hasn't already been struck? It seems rational to me that a pandemic followed by a chip shortage driven in part by crypto would be extremely unlikely, and if they had two years of extra stock on hand that would almost suggest to me they were too prepared (i.e. wasting money). Like if the zombie apocalypse strikes tomorrow, you probably will be unprepared, not because you're bad at planning but because this was too unlikely to have reasonably prepared for
> What makes you think the right balance hasn't already been struck?
Because it wasn't in the company I work for, and it wasn't at many of our suppliers, and it looks like similar things happened most everywhere else.
We've made a number of changes, both to how and where we source things, to how much of what we keep in stock, and changed processes to re-evaluate suppliers and overall state-of-the-market more frequently.
I know some of our vendors have as well, both because in some cases we asked them to, and also just from talking to them.
If your firm has achieved planning perfection, congrats. I mean that sincerely. But I don't think a lot of other places have.
My bet is the cost wold be on the hundreds of thousands (yep, globally). But if you really want to push the envelope, you can go with high single digit millions.
Good analysis.
> modern financial capitalism has squeezed redundancy out of everything
If by "modern financial capitalism" you mean "customers who prefer cheaper to superior quality of product and/or service", then I agree with you.
If you're a naive economist and you think Homo Economicus is real.
How often are customers really given that choice, as opposed to companies making the decision on their behalf because customers are stupid (they just want a better horse after all).
We can't buy what doesn't exist after all.
> How often are customers really given that choice?
You and your competition produce two equivalent products. They sell theirs for $100: do you feel confident in pricing yours at $110 and base your commercial copy on "We rely on a more robust logistic chain in case of a world-wide catastrophe"?
This isn't asking the customer to make a choice, it's asking a businessman if they're willing to invest in their business.
And it is an investment, not an ongoing significant cost. Once you have a local surplus established, you can simply buy what you use going forward - the same as any other JIT manufacturing process - with a minimal ongoing cost for storage space.
As such, a businessman who wishes to invest in the in the longevity of the business over maximizing this year's profits would be happy to sacrifice some profit for the ability to remain solvent in the next supply chain breakdown.
Because there will be another one.
The choice is almost always there, but the overwhelming majority of people choose the cheap option. Seriously, for pretty much anything there's a cheap version and a more expensive, (usually) better quality version.
It's the "usually" that's the problem for me. Last time I bought a washing machine I was willing to pay 3x the cost of the cheapest model provided it came with a warrantee that was at least 3 times longer. But in fact all machines had the same pathetic 2-year warrantee, indicating to me the manufacturer didn't genuinely believe their more expensive machine was going to last any longer. So I went for a mid-range one that at least didn't look cheap and nasty, but probably will break down in a few years anyway (and then be more expensive to repair than replace).
Let's not forget the benefits either. Reduced redundancy is _good_ (as long as nothing fails in the chain, ofc). It enables society to make more, for lower costs. And it works remarkably well, overall.
But thats the problem being expressed - things will fail. Things will always fail, and ignoring that is the equivalent of burying your head in the sand and thinking your ass is covered.
If things go right 8 times out of 10 overall, that's a net win. Expected value - I get Product X $2 cheaper if things go right, but lose $6 if things go wrong. Expected value = 2*.8-6*.2 = .4. Overall net positive.
"The price for something is measurably higher if the manufacturer maintains a surplus of components with an inelastic supply" is not really true though.
Once the initial investment in creating a stock of those items is done, there's only a minimal storage cost. For things like chips for cars, that storage cost is probably measured in double-digit dollars a year to create billions of dollars worth of vehicles.
Is investing in a business to smooth over supply chain problems really so taboo to a modern businessman?
> Pointing out obvious design limitations will, more often that not, make me the asshole.
Being an "asshole" isn't always a bad thing, assuming you mean "frowned upon for providing dissent along lines of unhappy, but factual, technical realities which are applicable in the current context".
If this is the new definition of asshole, then I am the king of assholes.
Asshole here too. Left previous job, people sent messages thanking me for being the only person asking hard questions.
As long as your new definition of 'asshole' also comes with a new definition of 'bad thing' that doesn't include 'will piss off your users and cause you/your client to lose money'...
Agreed. I think how you deliver your unhappy truths is 99% of keeping the other party from going bananas. There are very few things that cannot be reframed in a more positive light.
Being able to sell a "no" is much more important than being able to sell someone on a shiny piece of bullshit.
It's not that they don't know how to.
It's that there's an economic incentive to not care. So they don't.
Exactly, and the incentive is that customers do not care.
Build quality, keep redundancy, and in the next pandemic your business will flourish... unless you'll have had to close it before 'cause of people buying cheap and not good!
I assert that customers do care. Customers were quite annoyed that they couldn't buy vehicles, regardless of the price. Or do you just not remember the complaints?
On the business side, Toyota - the progenator of JIT manufacturing who still warehoused chips to deal with a shortage exactly like what happened - flourished at a time where others floundered. As an added bonus, they were still able to remain profitable prior to the shortage, despite having warehoused chips.
I think the "buy cheap not good" is more of a proactive excuse from companies who want to sell cheap goods to maximize their profit. Kind of an extension of the "never ask customers what they want, they'd just want better horses" or "they can have it in any color so long as it's black" tropes.
> I assert that customers do care. Customers were quite annoyed that they couldn't buy vehicles
This is not what I meant. Customers did not care, before the pandemic.
True!
It's Risk. Humans are typically insanely bad at understanding risk, how to assess it, and how to mitigate it.
For most, if something is risky, it's just a black box, perhaps with some odds, and it's either feared or ignored (or both).
Few understand the critical difference between using knowledge, skill, technology, and planning to manage and mitigate risk, vs rolling the dice and getting away with it for a long time.
Using knowledge, skill, technology, and planning to manage and mitigate risk has gotten humans to great heights - we can make entire careers living in environments in which random behaviors will kill us in seconds (e.g., aerospace, underwater, large construction, metals refining, etc.).
But most people think much more naively, and even do so in professional environments unless required otherwise (and even sometimes where they are). So, they just think that if something isn't obviously a risk, or only happens occasionally, ignore it.
This is just rolling the dice. Even if you get away with it for a long time, that only makes you more falsely confident and therefore more vulnerable. From the last mild pandemic, there are over a million dead and close to half million suffering long disease from this attitude.
And you see it in your work - you simply point out an obvious very damaging failure mode, even just to document it, and you get a hostile reaction.
I'm not sure what to do about it. Perhaps rock climbing should be a required activity in school, learning to viscerally manage risk, and showing that it is usually actually easy to to?
Plenty of people know how to do failure mode analysis. In most webcentric scenarios, though, nobody cares because it's all about the average case. If 99 of your users have a great experience and 1 has a bad-but-not-bad-enough-to-make-the-front-page experience, that's a huge win over 100 users having an okay experience. I hate it too, but that's the market.
Your phone is leveraged so much because it provides companies with deeper tracking capabilities. Most laptops and PCs only geo locate based on their connection points, phones have accelerometers and more accurate location and ID info in them, so many app makers hobble browser-based app iterations to encourage mostly phone use. They also know users are engaged and focused on content more when they are on phones because browsing in multiple tabs is less possible than on desktop PCs. It's ridiculous that we are manipulated in this way, but fandom for certain devices and apps has created powerful companies that dictate how the Internet works, rather than a better world where companies work to provide value and function to consumers first. The customer is no longer right, whatever the company dictates is what is right now, unfortunately so for us.
Don't forget your phone is much more deeply tied to your identity through your cell company contract and the OS account information is more likely to be closely tied to your identity.
It's also much rarer for someone to have multiple phones and the need to detect that connection.
So there are deeper tracking capabilities and it is easier to connect that tracking data with an official person in order to cross-reference.
As soon as you connect a phone to your home WiFi or log into a single account that device is instantly associated with you and tracks you forever. Phone numbers are just a convenient way for big tech to share your identity amongst themselves.
Use a VPN and try to create all of the accounts you'd need to participate in society. It's impossible. You'll be lucky if you can get an email address. I can't imagine being un-banked or unable to afford a phone. You can't participate in modern (western) society without a (non-VOIP) phone number.
Also, there's no air gap on a phone. Devices will be correlated via location data, SSID scanning, etc.. Put two devices in the same house with wifi disabled and location data enabled and they'll be instantly linked as knowing each other.
Agreed, I've noticed a lot of issues in using home wi-fi across social media. There is also some sort of cross platform tracking occurring between Twitter, YouTube, and TikTok for sure, because I've frequently been shown the same topics and trends across those sites. I'm beginning to think there is a UUID that is associated with my home IP, because when I go off it (roaming on mobile), my (off home IP) Internet experience is not consistent with PC back at home.
That your IP address is used as part of delivery customization isn't surprising (though why it would make sense for platforms you need to log into I'm not sure). As far as YouTube/TikTok/Twitter sharing tracking info - unlikely, I'd say just the fact that you are the same person using all 3 services which all picked up on your personal preferences from your initial usage of each site would be enough to explain being shown similar content. I could perhaps accept both Twitter and YouTube have access to some other centralised source of personalised data if you've provided the same email address or phone number to both, though I'd think there'd be regulations around that.
I've frequently noticed that when I watch a youtube video, it suddenly shows up somehow on my twitter feed, or a connection thereto... Often I'm recommended to follow the artist from the song I discovered. It happens so much for me that it can't be coincidence, Perhaps my browser is the connection, but I've worked in tech for a while now, and could def could believe that artists meet with big tech regularly to run integrated marketing campaigns across different brands of social media, especially on the Beyonce level.
Often I watch a youtube video, then the song suddenly starts showing up on the radio, at shopping malls, the latest Netflix series, you name it. It happens so much for me it can't be coincidence...
For reddit- sure, but why banks? Surely managing hundreds of thousands of my money is worth more than some geo data.
Banks are in the smartphone game for a few more reasons other than tracking:
1. They tend to trust a locked-down, reasonably secured environment more than a hackable, general-purpose operating system, especially for 2FA.
2. They’re under pressure from fintech, so they have to focus more on things customers want.
They could be using it to verify your phone number is being spoofed overseas. If location data on your device indicates you are currently in Texas, but suddenly a charge is made originating in Malaysia, it would trigger an alert based on a geo-location mis-match... They can also use it against you to find out where you go when you are paying in just cash, or for other nosy reasons. That's why the overreach is bad. When you consider other companies in insurance, the IRS, THE ENTIRE HEALTH CARE INDUSTRY, and even CVS tracking you through apps, the harmful secret data they could compile on us to better fleece and police us is potentially outrageous.
This is a big problem for me as a traveller. If I travel long distance and I lose my phone, I lose access to both my personal and business bank.
I once dropped my phone in a lake (I'm clumsy) and was locked out of most things for a few weeks.
I prefer TOTP for most things. Keepass supports them across platforms, but Aegis has a better experience on mobiles.
I don't travel much, especially recently, so this may not be worth the hassle for frequent travellers, but I factory reset before going overseas, or use a non-current phone to take overseas.
Whence through customs etc, reinstall only the essential apps for the trip, just remember your passwords or your single password to your password manager.
You can also spread about an encrypted set of instructions amongst free email hosting.
Some people would say it's a hassle, but it keeps customs' nose out of my private life. I'm getting to an age where it's not necessarily weird to have the appearance of barely any online presence.
I have traveled a lot over the past few years, including several times through hostile customs (eg USA). I have never had any of them go through my phone or even ask to see it. And to be quite frank, I don't see what use a border agent or the government would use from my phone that they couldn't get in a different, simpler, less blatant way. I'm not sure what threat model you're fighting against, but it may exist only in your mind.
I've been raided by the police before, so my threat model went up a couple of notches as a result of that.
It's a relatively recent incident and a story I'll be telling in detail at some point soon, I hope.
I’ve heard so many nasty things about customs recently. Down to officers straight up insulting people coming in.
Same. 50+ countries and I only had to turn my laptop on for the TSA.
It happens. Especially to people on such lists as activists, journalists, etc.
I'm not joking, look it up: https://www.google.com/search?q=phone+unlocked+at+customs
The TSA only cares that the laptop is operable (e.g. not masquerading as something else), not the contents
Agree. I bring my phone oversees, but don't have an international plan, so I usually purchase a local SIM card and swap it out. But all my mfa fails then, because it is trying to text my US number!
What 2FA does your bank use? I hear you on the issue... if any site requires me to use a 2FA I can't backup, then I simply don't enable 2FA.
It is baffling to me that banks of all places seem to have the absolute shittiest implementations of 2FA I have ever experienced - if they even have it.
FWIW I use 2FA a lot more now that I discovered Authy, which backs your 2FA tokens (encrypted) to the cloud. There is also 1Auth, I believe the name is, which allows you to do offline encrypted backups.
See my comment elsewhere on this page.
Most banks can supply 'tokens' that generate a random-number that acts as a one-time verification.
https://pic.pimg.tw/abcwithyou/1348639177-1831387207.jpg
They are invaluable if you travel internationally as sometimes verification codes sent by text will be hopelessly out of date by the time you receive them. (If you receive them at all, that is.)
how about taking a fully set up back up phone with you? that's what I do. losing a phone travelling nowadays is in deed an expensive and extremely inconvenient mishap.
I travel by bicycle or motorcycle, so space and weight come at a huge premium. And of course my bank only lets me pair one phone per account.
> I travel by bicycle or motorcycle, so space and weight come at a huge premium.
sure, but being protected from losing your digital prowess comes at a high utility per weight ratio.
> And of course my bank only lets me pair one phone per account.
that's a bummer. I can pair several. just need to scan some qr code.
Replacing the smartphone isn’t the problem. It’s regaining access to things for which the smartphone is the key. If I lose the sim card I’m back to square one.
This is a big part of my threat model.
Before smartphone, if you lose your passport everything goes wrong as well. (and noticing your phone is missing and finding it back is way easier than passport)
The worrying difference for me here is that when I travel, I pull my phone out of my pocket 50 times a day but I only use my passport once or twice a week and can store it safely in between.
I strapped mine to a motorcycle and subjected it to sun, rain and dust for a few months. The GPS interface was baked into the screen, but it kept going. It even flew off the bike at speed once. I never had a phone fail from abuse.
But I had much dumber failures:
- Walk on a log to get a better picture of a lake, slip, and drop the phone in freezing water. Took multiple weeks to regain access to everything.
- The humidity presses buttons in my pocket. Too many passcode attempts, iPhone factory resets itself while abroad. Lost a bunch of unsynced photos that time.
That's cool, although I was referring mostly to the risk of loss or theft, not reliability. Phones are a more generally sought after commodity compared to passports.
Yeah, but if you lose it you won't notice for a week and it has no GPS tracking, nor PIN lock, and it can be harder to replace.
The phone number is scarier than the phone itself, since backup sim cards aren't a thing most people do, and replacement might be slow or impossible till you get back.
Everything? The only thing that goes wrong is being unable to travel internationally, but I think consulates often have a process for issuing emergency documents for even that case?
Try to present a foreign ID without your visa to a US police agent and let me know how it goes.
It's not like this is a common thing to need to do when you're traveling...
will provide for an exciting story to tell when you're back but should be resolvable in about 24h pretty much everywhere on the planet.
I live in the US. Passports are effectively irrelevant for me, even should I travel several thousand miles. Phones… not so much.
And I’m not mentioning the US because its unique in this attribute.
It’s different if you’re a foreign national.
In ‘05 I was traveling in the EU, across the open borders, and got checked by customs agents because of a bombing in, I believe, London. Thought it was weird but, whatever… Later on I pieced together what happened because even if they were only doing spot checks it’s not like I don’t perfectly blend in with Europeans.
A bit of an aside, custom agents absolutely loved my customs stamp from Iraq back then. Well, aside from the Dutch.
The eSim's are available these days so you don't have to wait for new SIM to arrive... if your provider & phone supports this feature.
Don't eSIMs have an even worse failure mode? If the phone itself dies then there's no SIM for you to take out and put into a new phone immediately right? As I understand it you have to first find another phone (with a working line!) to call your provider with, hope that it's within their business hours, and wait on hold for who knows how long, until you finally get it set up? Because of course you don't have anything urgent you need to take care of in the meantime while you wait for your carrier to give you back the keys to your digital life right?
With Vodafone, I just login on the website and swap the esim. It’s ridiculously straight forward and you can set a sim pin that works across devices so even if someone were to steal the login and try to take your esim, they still need the pin to unlock the sim on the device.
That's better than what I've seen, but that still requires you to find a second phone with existing service? Everyone has 2 spare phones with 1 additional line of service lying around right? Or a computer with internet service I guess.
With a normal SIM all you need is the device you're going to put it into. And a needle/paperclip...
Obviously, you need a second phone to put the sim or esim in. It doesn’t necessarily need service though.
You just need an internet connection to get the QR code for the esim (though I have a paper version I can scan as well). The beauty is I don’t have to swim to the bottom of a lake to get the original phone to get the original sim. I can just scan the piece of paper and put my pin into the new phone. Though I think no matter what, I would have to go online to give the IMEID so the phone will successfully activate.
Phone companies don't let you apply for replacement esim through a website?
Maybe some do? I've seen ones that don't.
I didn't have a cell phone until work issued me one around 2018 or so. (I never really liked the idea.) Generally, I don't have many single points of failure tied to the phone not tied to work...certainly nothing related to my banking.
You can still live in 2022 without one, although the assumption that you have one gets more annoyingly entrenched year-by-year.
I don't quite know what these single points of failure are, but they must tend not to exist when you have a "hard no--I have no such device" in your back pocket...you can choose services that don't require it, use hardware token 2FA, or something. Somehow, it does still work out to simply not have one, but it seems hard to avoid reliance on it once you've got it, since you don't see a service and think "well, I guess I just can't sign up for that one", but instead whip out the cell phone and comply.
Recently I had the displeasure of traveling through Newark Airport and at least at Terminal C, you cannot order anything from any bar or restaurant without a phone. You must scan the QR code and order that way. If you talk to a worker or even manager and tell them you don't have a phone, they will tell you they can't help you.
That feels just asinine, specially in place like airport where people might prefer not to use their phones for various reasons...
> Generally, I don't have many single points of failure tied to the phone not tied to work
Agreed, this is the way to go. I've always found it amazing how easily people will create a fragile SPoF dependency on a phone, which can so easily be lost/broken/etc. And more importantly, it's a single point of centralized tracking, so the last thing you'd want is to have everything tied to it.
While I do have a phone, mostly for use as a hotspot, I pretend I don't. I'll always take the course of action of not having a phone.
How is this possible? Are you from an older generation? Do you live so far away from the city?
The initial question was about "single point of failure". The answer is, don't create such a single point of failure in your life. And you regard someone doing that as "you must be either old or a hick". Maybe they're just someone who doesn't want a single point of failure for everything in their life.
For myself, I have a cell phone, but I don't have anything on it. No banking. No work apps. Nothing. When work asked me to put an authentication app on my phone so I could sign in using their new authentication scheme, I said, "No, I'm not putting any work app on my private phone. Hard no. Give me something else." So they gave me a little USB thingy to use instead.
If I lose my phone, I lose my contacts (but my carrier has a copy of those), my text history (but maybe my carrier has those too?), and any photos that I haven't copied off. That's it.
How is this possible? It's easy.
Let's pretend you have a smartphone and a computer. Take the phone, and look at every application that you actually use. Make sure that application can be used on a web browser and you have the credentials stored in a password manager. Transfer your cell number to a VOIP service. Find your carrier and cancel your contract or autopay or whatever.
Now shut off the phone, and leave it in a drawer. If you can take out the battery, that's good, but you probably can't without breaking the case.
Put some cash in your pocket if you weren't in the habit of doing that before.
That's it, you're done. Remember to check your mail and messages on the VOIP line from time to time. If you ask the VOIP people to send voice mail to email, that makes it just one thing to check.
Then you discover your bank, your credit card, your shopping mall, watsapp, gmail, facebook and grinder, all have blacklisted sms to VOIP numbers and also, they're phasing out SMS support anyway... So you'll need all their own specific apps anyway... And both your neighbourhood burger king or the whole airport in which you just landed, won't let you order food without a phone, an app and a qr-code... And then you live in Italy where you can't ever buy stuff over 1000€ with cash... And where you need an app to access the nation's many exclusively online services.
No. You can't avoid it. All you can do, with this kind of passive resistance, is delay it for a bit. :/
We (the people) need to push back and be vocal about the stupidity of this trend.
I've never used an app from my bank. They have a website.
My credit card has a website. I don't store my card on my phone. It's a card, I carry it around in a wallet.
Why would I need an app for a shopping mall? I was in a mall last year, because that's where the LEGO Store is.
I've never used Watsapp.
Gmail is a website. Facebook is a website. Never used a dating app.
I don't need to use an application to get to Burger King, I have feet and cash.
My credit cards work in Italy. Anywhere there's an MC, Visa, Amex or Discover logo, I've got something that will work.
Pushing back starts with refusing to do stupid things just because all your friends are doing it.
Go through the whole list and figure out which of these services really requires your phone, and which you have set up on your phone because that seemed the easiest path.
Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)
This is the best way to go about this (the first line, the second line is rather variable). Phones didn't suddenly become a single point of failure, it's mostly middle-management combined with checkbox-security that ends up with SMS, TOTP and push-based confirmation factors. It's not the best way, but the easiest way to set things up.
To make matters worse, TOTP is easy to copy for 'backup' purposes, so it's really not all that good (but still orders of magnitude more secure than SMS), but people are now actively encouraged to use multi-device TOTP like authy which practically invalidates it as a separate factor.
There are of course practical implications as well. Giving everyone a Yubikey is problematic due to cost, same with smartcards and readers at every workstation (the card isn't the problem, replacing everything with readers and changing the authentication system to accept smartcards is). RSA SecureID is expensive too, and essentially just TOTP. You could only use FIDO-enabled devices like the ones with secure enclaves, but that has the same problem as smartcards.
One thing that happens a lot around here is people carrying two phones, which doesn't solve anything but does shift the work/blame/cost on the company because everything will have to be done on 'their' device. This is a bit impractical because now you're constantly walking around with two phones, or have to manage which phone you happen to have on you.
On top of everything else: all other second factors can be lost too, that is by design because it is supposed to be 'something you have'.
> all other second factors can be lost too
The problem is how the phone is irreplaceable and non-redundant, and not that it can be lost.
That is not really the problem, that is the symptom. Making it redundant makes the factor property moot. And while it might be hard to replace, it's not irreplaceable. One issue is that if you have 60 TOTP accounts on an app on a phone and you desire to replace it you'll end up with a keyring full of FIDO keys. Those are just as 'non-redundant' and 'irreplaceable' as the phone was.
The problem that causes the symptom is pass-the-audit mentality in the implementation of MFA. You have many options to make this "better" like picking any push, FIDO, U2F and TOTP method at authentication time. Lose 3 of those and you still have one available for the normal flow. And then there are backup codes that most people don't actually print and store because for some reason they are either unaware of it or believe that it will never affect them.
Yeah, if my employer wants me to use a smartphone app, they better cough up a smartphone for me to use. I'm not installing anything work-related on my private one, because I am in no position to guarantee that I won't break it or lose it.
I've had pushback from the employer about this a few times, but in the end, there's nothing they can do.
The way to handle this situation that respects your space while minimizing conflict, is to have a second phone just for work only that they can mobile device manage to their heart's content with all their useless apps.
This means using one of your older devices for it if available, otherwise you can purchase the cheapest unlocked one sold at an outlet store and consider it a cost of doing business like clothing.
My workplace's solution was to simply turn off 2FA for my account
Depends on the security requirements and terms of employment. Where I work now, you’d get a hard token or work phone if you’re deemed as requiring a phone.
In the previous job, you were sent the form for 24x7 building access and were free to drive into work within the on-call response period. You were also reimbursed for your cell phone, that was the bronze handcuff.
Under current case law in the US, my understanding is that public ("operational realities" and reasonable suspicion tests) and private employers (fewer tests) have rights to audit any information on employer-compensated devices they wish (and have access to).
I only use a work phone for work business. If my work requires me to use a phone, I require a work phone.
Carrying two phones is a small price to pay to avoid worrying about an overzealous employer's IT staff.
https://en.m.wikipedia.org/wiki/City_of_Ontario_v._Quon
https://en.m.wikipedia.org/wiki/O%27Connor_v._Ortega
150% agree. That’s a whole other can of worms.
Even if the business doesn’t want to audit your phones, a litigation event could force the issue.
Why should they have a landline fallback?
Because in Operations you need to cover all the scenarios, regardless of what the Developers think is the “only way” to do something.
Tell that to the Australian government. You literally need to install an app to use some of their services.
https://www.mygovid.gov.au/
Good 2 factor auth systems will provide the option to be called on the number on your account.
Phone isn’t a secure factor in 2022.
If this is due to the vulnerabilities in the SS7 protocol, then it hasn't been secure since 1975.
Or at least 2008 when a set of vulnerabilities were published.
https://en.m.wikipedia.org/wiki/Signalling_System_No._7
MFA is supposed to be something you have in most cases, the phone is a weak proof of a line of phone service that has decreasingly diminished meaning over time.
NIST describes a framework for required authenticators for different levels of trust. It’s a good starting place for understanding what represents secure practices vs theater.
Well, yeah. Back in 1975, we weren't generally using our phones for authentication. The environment has changed and the security issues are far more important now.
>i can't log in to any of my banks without my phone.
Don't know about banks in Europe but in USA, I can log into Bank Of America and JP Morgan Chase without any phone authentication.
If I reformat my harddrive or buy a new computer and the bank doesn't recognize the web browser because no previous cookie has been found, the website will generate a one-time code and send it to my email address. I then enter that security code and the web browser is "recognized" without further issue. The smartphone was not needed in any step.
EDIT ADD: I did open my bank accounts before 2007 and thus before the smartphone era. Because of that, there may be a possibility that my logins are "grandfathered in" to not require any smartphone app authentication. It's possible that opening new accounts today with BofA/Chase require smartphones but somebody else would have to confirm/deny that.
My Swedish bank offers two methods. One is the nationwide e-identification system called BankID - used for loads of commerce/governmental/identification/authentication in Sweden - which requires Internet access and works on computers as well as smartphones. The other method uses a discrete HOTP-type device (with a personalized login card) which accepts a challenge code from the bank login page and outputs a digested authentication response. As far as I know, all major banks in Sweden offer both or at least one of these two methods.
In the past a lot of banks here used OTP scratch cards, and would automatically send you a new one in the mail when you used one of the 10 last codes or so on the card.
In Italy it's a disaster. You need the phone /and/ their specific app, for mostly everything. From burgers, to banks and everything in between...
The biggest bank in Slovenia also requires an app, but I wrote a webapp that implements the reverse engineered protocol the bank uses in the mobile app (the protocol is basically a TOTP implementation brought from a private company).
A bank in Finland: they try to push their authenticator which doesn't work on my phone (de-googleized android and too old),but they have retained the option of using an OTP code list + sms, previously it was just OTP code list, but due to some silly directives they added sms.
Authenticating with bank OTP also work for government and other stuff. (Common here as there is no state authentication system other than some failed id cards afaik.)
I really never got the point of the SMS. If I was deciding it I would have mandated that authentication can't be on the same device payment happens. Just to see how they solve that issue...
In Europe we have it in few countries.
In my case - You enter your unique ID (6 numbers), then I’ve to type 4-number PIN on my phone. There’s also verification-number shown on both sides, to compare authenticity . When approving payments, it also shows details and requires longer PIN code.
Much easier than earlier versions.
And authentication provider can be used at Insurancy, e-government, e-signing and other services.
Similar experience in the US with the banks I’ve used. I can simply use the PC without involving my phone.
Also if all else fails I can go in to the bank and take care of things.
I had a Chase account and for some years was able to use email for 2FA. Somewhere around 2019, they changed their requirements and forced SMS for 2FA. Since I don't use a (SIM-ed) phone and since my wife's phone number was already known to them, I had to pull all of my liquid savings out of the account and move it elsewhere.
I will never bank with an institution that requires SMS for 2FA.
> Somewhere around 2019, they changed their requirements and forced SMS for 2FA.
I just logged into Chase via desktop web browser and there's not a 2FA requirement.
I also deliberately used a different computer and got the familiar security prompt of "We don't recognize this device": https://imgur.com/a/jKM4MPq
I see that sending the challenge code via email is not in the list but there's an option to call them for it. It's more inconvenient but it looks like neither SMS text nor a mandatory Chase smartphone authenticator app is required.
I can log into my bank without my phone in Denmark, but they are pretty much getting rid of that capability. Supposedly more 'secure'
That's code for 'cheaper'. Banks in the Netherlands are constantly trying to push all their customers to their apps, some (like ING) are actively trying to get rid of their alternative (but keep getting somewhat forced to offer it), and some (like BUNQ and KNAB) are 'smartphone only' from the start.
Cryptographically, the idea of a discrete piece of hardware that uses the chip in your debit card to generate secure responses is fairly sound. And if smartphones didn't exist, it would be an unquestioned piece of technology that might even be commodified to the point that any such device could be used by all banks in the country. But smartphones exist, and having the customer loan the banks their hardware (which is often replaced within five years, so free updates too!) is quite attractive. No more hardware to support!
Indeed it's incredibly stupid development. Fuck smartphones, really. I don't own one and I feel happy overall, but life is complicated because nowadays some sort of stupid app is required (most of the time, for no good reason) and dealing with those requirements always cost so much thinking.
I don't want a micro-computer in my pocket, I stay at the computer all day anyway, a better one.
Why can't I do with a real computer what it is possible to be done with a phone?
A smartphone is just a tracking device, and it is terrible for privacy - but great for advertisers and similar industries.
Otherwise, a computer should be able to do everything a smartphone does.
Amen to that.
Plus, half of the 2fa apps from the various services (most of which just want their very own app) work only on recent phones and most won't even install without google-services.
And if you lose your phone, you're toast!
So, it's not enough to have one smartphone always at hand...
You must have a backup phone too!
... and both must be fairly new... and they must both bear the all-dreaded google-battery-eating-spyware...
Me too in my ideal world I wouldn't have a phone, but now I need for transport, food, financial services, nearly everything.
I don't know where you live, but in Europe you can still live without a smartphone. But I live in a city with good public transport (no need of ubers); banks still works without smartphone (but you need a burner phone for SMS, unfortunately), etc.
"Europe" is big and diverse. So while there exists places in "Europe" where that is true, in many other parts of "Europe" it is getting harder and harder.
Oh, I don't know about the rest of Europe, but here in Italy you either have to deal with it, or restrict yourself oh, so very much. (to the very few services that still work without a phone). Here most everything, even state portals such as, medicare, tax, national motorists services, pensions services, etc. are nigh impossible to access without a phone.
And it's so sad.
Absolutely!
I lost my iPhone 7+ recently and had no idea how attached I was to that phone. Being someone conscious of infosec I had iCloud turned off and what I thought were minimal apps installed. That said, and with the fingerprint reader/my 18 char PW, I'm pretty sure no one besides a nation state/NSO could get into my phone. So losing it wasn't really a big deal except for the loss of contacts (had most on a old phone) and being locked out of my email (thanks 2FA).
Unlike you, I haven't gone fully phone free. But I do now have a free Android phone that has nothing on it that I can be locked out of. No medical, no banking, nothing personal except for email. And if I felt I could get away with it, I'd have no phone at all.
I don't have the same view, in my mind you have created a single point of failure for _yourself_. I use Authy for MFA, which comes with a desktop app. Phones dead / missing? No problem, I can get OTP's from my laptop.
What about text messages? Google voice. Which of course has a desktop interface. I've been doing this for years. It's nice not to have to rely on a watch, or phone entirely - although they do make my life easier.
Sure, blame the user, that is the mature response whenever someone is pointing out that modern ID security is a topple tower.
Whatever technical solutions can be made don't really matter unless normal people can and do use them correctly. In any case, simply setting up another non-phone computer to do the job of the smartphone doesn't change the fundamental issue, it can still break, or get stolen, or some account can get closed for spurious reasons.
>"Sure, blame the user, that is the mature response..."
We're all here to make our own decisions. We're all here to seek enlightenment. I've made it very clear that the decisions that I have made have placed me where I don't have the same issues as OP.
I'm enlightening OP, and everyone who reads these comments, I'm not "blaming" anyone.
When you acknowledge that there is a problem in the system and have solved it by way of a third party application, why do you still place the blame on the user for not solving the problem the same way you did instead of the system for having holes in it
How does providing information have anything to do with placing blame?
> in my mind you have created a single point of failure for _yourself_
You are offloading decisions to the consumer, decisions that the consumer shouldn't have to take. They should be solved by systems design already.
"in my mind you have created a single point of failure for _yourself_."
You are blaming them in your first sentence. You're both blaming and informing, your message would come off much more friendly without the first sentence.
you can't expect most consumers to make these same decisions — the vast majority of people are nowhere near as savvy as the typical hacker news commenter.
Especially when the user is a senior or a minor, blaming the user is not really the solution.
The issue is that some services insist on using their own app as a second factor. You can't choose to use a superior U2F YubiKey, for example. You are also not allowed to have their shitty app installed on multiple phones at the same time. If you lose your phone, you need to call them up to reset this.
To name and shame: BNP Paribas, one of the biggest banks in France.
> you need to call them up to reset this
My bank sent me a super key (some colorful QR code) to setup new 2FA devices, which I need to securely store somewhere.
It's interesting that a super key even exists. Normally the enrolment QR codes are one time use only.
This is incorrect.
A standard TOTP QR code can be used on multiple devices or saved and printed (and stored in a safe or something). There is no expiration date encoded in the QR; it is simply the shared secret for the TOTP app to use and some extra metadata like labels. See https://www.rfc-editor.org/rfc/rfc6238
It is a good idea to enroll multiple devices as a backup against failure, or to store it somewhere safe.
>Google Voice
Anecdotally, my bank (Wells Fargo) will not accept VOIP numbers for 2FA.
Many companies, not just financial are the same. They usually fail silently, too, so you sit around wondering if the text ever sent.
Yup. Chase does the same thing. They blackhole SMS to Google voice.
Yet another push to get a better bank, in addition to all their ridiculous fees. Ally blackholes Gvoice (messages just disappear), but gives you an email option to login. When calling customer service, they can do the challenge with a phone call rather than SMS. Capital One, Discover, and Alliant all seem to accept Gvoice just fine.
There of course is a major problem that Gvoice seems to be special, in that many places will accept Gvoice but not standards-based VOIP competitors. I even had a problem with someone on "Comcast mobile" not being able to text a Voip.ms number of mine.
Oh agreed, Chase is an awful bank in any dimension. I use a credit union for most things.
Chase owns the Amazon card, and 5% rebates on Amazon are worth dealing with the drama.
Probably Comcast Voice. Comcast/Xfinity Mobile is a Verizon MVNO
Same with USAA. This is pretty recent though.
USAA's "Cybercode" logon options are god-awful. It's Symantec VIP wrapped in their mobile app.
I have no idea why generic TOTP with backup codes is not an option for every site on the planet.
"I use Authy for MFA, which comes with a desktop app"
Fantastic. A lot of banks (at least here in Canada) ONLY have text or phone call for 2FA (which is awful, but welcome to banking).
Some of the most important things to secure, namely many banks, both
I agree with all my heart that TOTP with backups is ideal. I discovered Authy a few months ago, and only because of that app did I enable 2FA on Amazon, Discord, AWS, and a number of other sites that offered it.Ask me how many of the six banking and investment apps I use support generic TOTP.
> in my mind you have created a single point of failure for _yourself_. I use Authy for MFA
Since Authy requires an SMS verification for setup, now you’ve made yourself vulnerable to SIM jacking. A better approach would be to use a TOTP generator that doesn’t verify you by SMS.
In general, there’s no point in people dissing SMS OTP as insecure and at the same time adopting a service that uses it.
TIL Authy has a desktop app. Thank you friend, said app will be somehow added to my setup and workflow as another option.
Can you get OTPs on Google voice? Last I read (years ago) they said don’t do that because some won’t support it
Some of the financial services I use do, some don't. Things like discord don't either which is also annoying.
Because using phone numbers to decide if human or bot is cheap, easy, and effective.
Politically, there is no will for a national identity verification type service as infrastructure. And this way, all the work gets outsourced to ATT/Verizon/T-Mobile, and politicians get to say “it is not our fault” and telecoms get to say “it is not our job”.
And scamming yourself to another persons phone number to entirely take over their digital life is also cheap, easy and effective.
And that is a problem for a sufficiently small population that it is not yet a political priority. Crazy, since the federal government already does passports, and the infrastructure is basically in place with USPS offices.
ID is an issue that both extremes of the political system are against.
Super conservative types are worried about mark of the beast, etc. Super progressive types are worried about folks on the margins of society being able to get ID.
Regardless of who is doing the job, you're still going to need some device on your person (or otherwise readily accessible) that can be used to confirm that you are actually you, and whatever that device is will become a single point of failure.
The real issue is there needs to be some simple standard workflow for when the device (be it smartphone or otherwise) fails. And in this case the government pretty much already is providing that service, or at least the backbone for it. "You lost your phone? Well send us a picture of your driver's license or passport plus a selfie in [this] pose from a different trusted number and, after we try calling your old number just to make sure it's really lost, we'll use the new number." Financial institutions already have the infrastructure for photo-id confirmation for KYC regulations, and selfie verification is widely used for dating apps. Yeah if someone breaks your phone, steals your id, and can deepfake you then they can probably steal your identity, but someone in that position can probably already steal your identity.
> you're still going to need some device on your person (or otherwise readily accessible) that can be used to confirm that you are actually you
Nah, we don't need that. We've been doing without that for thousands of years.
We also did without anesthesia for thousands of years. This is not a great argument against something.
Well there's this new thing called the computer which offers both exciting new opportunities like online banking but also new challenges like password cracking which mean we can no longer rely on old methods of identity verification like pulling swords from stones.
You don't need a smartphone to have and use a phone number. I suspect the OP is about smartphone app authentication.
Oh, yes, I think I misread. In that case, I guess the spam/bot reduction efforts are outsourced to Apple and Google’s App Store and mobile OSs.
The lack of political will you speak of is better seen as a reaction to the deeper problem that there is no political will for protections that would go against commercial desires. Social security numbers were created solely to facilitate social security but had no legal protections enforcing this, and thus are now being widely abused by private companies. The same with driver's license numbers. Without a US GDPR that gives me the right to delete my permanent records from corporate surveillance databases, I am dead set against government mandates that would create even more vulnerabilities for unaccountable surveillance companies to exploit.
Or vulnerablities for fully accountable governments to exploit, either. Governments may be accountable to their supporters, but they're not necessarily accountable to me. They could decide tomorrow that it's illegal to be Jewish or to have been descended from Jews, and they have before.
That's a much stronger argument, that I'm indeed sympathetic to. But I don't think it will ever win in the courts of public opinion or practicality. In general, governments are always going to demand some way to identify and enumerate their citizens, and so making that a deliberate thing rather than an emergent thing allows it to be better constrained. If involuntary storage of personal information were limited to bona fide government purposes then, for instance, we could politically complain when the government wanted to catalog everyone's ethnicity/religion in their databases. As it stands currently, the government itself doesn't need to abuse the vulnerabilities like in your example, because at any time they can get that information from companies who have done so for them.
> In general, governments are always going to demand some way to identify and enumerate their citizens
I think that this is something that has only become insisted upon in very recent history (when it was seen as a technical and social possibility), and that governments functioned just as well without. Ways of identifying strangers should be annoying, tedious, and expensive.
edit: When I was a kid, you could spend a week in jail and be released without the justice system having any way to verify who you were.
edit: What I'm really saying is that the "national identity verification type service" is as much a problem as the corporate databases, which it's also not really distinct from (the corporate databases work as a national identity verification service.) The problem is this desire to account for and control everything. Everyone with a little power is overcome with data FOMO.
I hate it. They have been phasing out web for years in the EU.
Banks mostly but these days employers too. Getting a separate device, or multiple, seems like the least horrible options to me.
Turns out everyone wants a piece of my data I in the name of convenience. Only, it's their convenience, not mine.
"They have been phasing out web for years in the EU."
This is such a perfect summary of the situation; thank you for formulating it so clearly. To me is insane that we are switching to a perfectly open and interoperable standard to the walled gardens of iOS and Androids.
This is why I ordered both GNU/Linux phones, Librem 5 and Pinephone, to support the alternative. Of course, I have problems with the apps now, and I refuse to install them as much as possible. Every time someone tells me about an app, I'm asking whether they have an app for my Linux smartphone.
Probably because I've heard the statement: "Everyone has a smartphone these days, so..." for the description of every app you describe. It makes some sense: single purpose devices for authentication tend to be set aside and misplaced. So it's the union of ubiquity and ease of use.
Someone , somewhere decided: your digital life is going to be tracked and recorded to 3rd party cloud. (We are increasingly getting to that point) To accomplish that you were given central device ( a smartphone ) on which you ought to do everything related to your digital life. So how to remedy this? Easy, just don't do that.
Because they're the thing in your life that you have the least control over. Businesses and governments can lower all kinds of costs by using your phone to manage you. If kings had the ability to distribute smartphones when feudalism was in full swing, feudalism never would have ended.
They watch you while you watch them, and there's nothing you can do about it. What I really wonder is whether we're 10 years away from police being dispatched if your phone is turned off (which, of course, would have started as opt-in, and ended as getting a ticket for letting your battery die), if we're 50 years away, or if there will be some sort of Butlerian Jihad before it happens.
edit: we can pretend this is just about authentication, but the reason smartphones work for authentication is because you have no control over them. If you root your phone, it becomes useless for authentication.
I always have a backup Android device setup as per my standard operating environment for this very reason. I'm actually due to setup another one as my previous backup went to my daughter for her birthday recently (but it still has my SOE hidden on it).
But also, I don't use my phone for banking because I still don't trust mobile ecosystems. I use a dedicated VM that requires a decryption password to boot up.
But yeah, banks are pushing for app usage rather than web interface, which is ironic given that my bank still only has SMS 2FA, not token-based. So why would I trust their app to be anywhere near secure in an insecure ecosystem if they can't even support proper multi-factor authentication that's been standard for, what, 5 years already?
I had a similar problem very recently with OVH. Though it's not related to smartphones.
I migrated my personal domain (nameserver and email) to a different IP address. After migrating the server, I wanted to change the glue record on OVH.ie. They detected some suspicious activity and prompted me to enter the code that was sent to my email, email on the domain that has unreachable namesevers because I couldn't log in to their dashboard. I had no 2FA enabled.
The interesting part about this is that I knew it might cause problems, so I also added a secondary email address to OVH, the one from our national academic research network. But OVH only sends codes to the primary mail! How useful ...
> only sends codes to the primary mail
One should be able to login with multiple methods. E.g. with 2FA you should always be able to connect two devices, and if you choose to login with a third party like Google/Facebook you should be able to add a password for login as well.
All my OTPs are in Bitwarden and FreeOTP.
The only thing I currently need my phone for is Google's new device login and even that goes to my tablet too.
Can you use Bitwarden for TOTP? I already use it for my passwords but for TOTP I have multiple apps and I hate it
Yes. You have to pay for the premium version for TOTP, but it's only $10/YEAR.
Yes you can[1]. If you want to store TOTPs together with your username and password is something you have to figure out for yourself.
Browser integration works nice, but not as smooth as Apples Keychain autofill. If you go hosted you will need a premium subscription. If you are okay self hosting vaultwarden[2] supports TOTP as well.
[1] https://bitwarden.com/help/authenticator-keys/ [2] https://github.com/dani-garcia/vaultwarden
Yes. There’s an “Authenticator Key (TOTP)” field. Been there for several years.
It also supports SteamGuard TOTP.
But steam really doesn't want you to get the key, I soft-failed when I tried. Fuck custom authentication apps, totp is good enough for me thanks
You can.
it's crazy when museums don't give out paper maps and expect you to use your smartphone - https://twitter.com/austinkleon/status/1556466475354963968
there are old folks who aren't that tech-savvy, and smartphones + plans are not that cheap or free in the US, we still have some extreme poverty, penetration is not 100%, if you're going to make smartphone a requirement to participate in society there really need to be super-cheap smartphone options.
Amusement parks are doing this now too and it's even crazier because many of them will not allow you to have your phone anywhere on your person while on the rides.
There are low end phone plans in the range of $10-15/mo. You can get a prepaid smartphone for like $40, and if you aren't using cellular data, you can get the smartphone itself for around $20.
Yeah, so I can wait in the lobby for 17 minutes while some 1.8 star museum app downloads to my phone over a crappy network that my provider lied about the performance of instead of someone just handing me a paper map.
Or you use wifi like a normal person.
We call them phones because that's what they evolved from but smartphones are fully functional computers that we can use anywhere with ease, and using cellular data to make phone calls is only one small facet of their usage.
For the overwhelming majority of people, being able to just pull up a map on their phone is the more convenient and preferred option. "Just handing you a paper map" is not so simple when you don't have paper maps because getting custom paper maps printed is expensive.
They're more reliable than any other affordable device capable of filling thr "Your whole life in a box, I've ever seen, at least subjectively.
Nearly no moving parts(The few remaining ones seem to be the #1 failure mode), a general purpose OS that's truly designed for what it does, etc.
On top of that, they have some built in safety features like the ability to remotely disable, wipe, and track them, plus, normal bank transactions can be reversed. I would much rather have a phone-linked account than go back to cash, and people used to carry that all the time.
Plus, for all the horror screen addiction causes, it does make losing your phone less likely, because you notice fast.
And on top of that, we used to (and still do) have MANY single points of failure ranging from debit card to notebook with meeting notes that could get you fired if you lose it to cash to house keys, any individual one of which could, if lost at the wrong time, cause a similar scale of damage to a lost phone, sometimes more.
Now, if you lose your credit card, you use your phone to disable it. If you lose your keys, you use your phone to uber. If you leave your wallet at home, you sign up for Kroger pay while standing in line, using the card number you stored in a notes file for exactly that kind of thing(true story).
It might slightly increase the risk of some pretty big disasters for some people, but for most of us, I think overall it removes a lot of common failure modes from life, so we accept the downsides.
Only banks do that. All other services accept TOTP (which you can have on multiple devices) or YubiKeys/webauthn/U2F (where you can add multiple hardware keys).
And even here, my bank accepts two (or more) devices with an active instance of their app. So the solution to this spof is the same as always: redundancy. You need a second phone. Your old one is probably good enough.
I've never seen a bank accepting more than a single device with an active instance of their app.. I would be over the moon if they did but they don't. So, last time I broke my phone, it took quite a while to get access to my bank accounts again.
My bank (Polish mBank) even have a section in the webUI to manage these devices along with other access channels.
> Your old one is probably good enough.
Some of us use the same phone for years, until it loses OS/security updates. My current phone is 6 years old. By the time I upgrade, my current phone will not be able to run current authenticator or bank apps, which will target an iOS version above the last one supported by my phone. So no, my old one is not "good enough" unless I upgrade more often than I'm comfortable with.
Funnily enough, I just had a meeting with a client asking why they would need two (and then likely more) servers doing the very same thing. Wouldn't that increase the price? Well, yeah.
i can't log in to any of my banks without my phone.
Check with your bank. Most banks have another capability of verifying who you are on login. That usually consists of a random-number generator that is in lockstep with a similar one within the bank's system. The random-number supplied by your 'token' should be the same as the one generated by the bank that is associated with your account or login.
We have three of these. One for each of the banks we deal with.
https://pic.pimg.tw/abcwithyou/1348639177-1831387207.jpg
We don't use any of the bank smartphone apps. I dislike intensely trying to do broadsheet work on tiny phone screens. It's akin to trying to do 'keyhole surgery'. I much prefer my 3840x2160 view and at a non-microscopic scale on my computer screen.
I use Google Voice, and the number that I use for PINs I can login to with just a password. That way I can always access text messages even if my phone is gone. You need it when traveling and your shit gets jacked.
I haven't tried it but an Android emulator should allow you to use apps without a smartphone.
If the banking software lets you log in via an Android emulator I'd say it's a pretty badly written piece of banking software.
I understand why HN readers would want to maybe use an emulator to avoid having a phone but really what other use case is there than that or a scammer trying to spoof you.
Is running an app inside an Android Emulator (i.e. the ones that come with Android Studio) something the app can detect then ?
>I can login to with just a password
If you can, so can anyone. Although using a unique/rare password (globally, not just among your accounts) is probably enough to make this a non-issue.
> I can login to with just a password
You're logging in with a Google Account and when the account gets locked it's game over with no chance of appeal.
https://news.ycombinator.com/item?id=31070914
Yeah I guess that would suck. Time to find a new VoIP/SMS provider
Some apps will. But most "secure" apps would refuse to run on the virtual device.
Ask your bank and other to give you a different way for authentication. You will get a other tool for that. There are serval hardware-authenticators and other tools out there and each bank or service offers this to you. Its yourself who create this single point of failure. I have a second (old) phone at home, ready for reactivation if needed. I am teaching my kids to not use the same Mailadress / mobile number for each service and to be sure to have a good backup for really important accounts (really important for my kid means: for Steam and other games). Try to find different way to get the authentication. They exist. The only disadvantage is: you have to ask and it isn't as simple as an mobile.
This has been my point for the last 5 or 10 years. That's why I have a "home phone" with banking apps, 2FA and important stuff installed. It has no SIM card and never leaves home. For everything else I have my "street phone".
Yes, but then again, I'm looking at seven older smartphones —right now— on my desk, and only one is even capable of running /all/ those apps.
I had to buy it just because of that. 'cause even my Huawei P-Smart 2021 (currently in my pocket and not among the others on my desk) can't run some of those pesky apps.
Many banking apps require a phone number/SIM card to operate, but assuming you can copy codes, etc, what happens when you want to use those apps out and about (or abroad) if the phone never leaves home?
> when you want to use those apps out and about
Fortunately, my lifestyle places me out of that use case.
This too... :(
What if you go on a vacation?
I can use my credit card.
I'm definitely not a fan of forcing anyone to use their (personal) phone for MFA for accessing company resources - I wouldn't really consider it a single point of failure though unless it was so poorly set up that there was literally no alternative log in method in the case of a lost/forgotten/broken phone. And if that happens it's the company's loss not mine - yes I enjoy my work and don't like letting my team members down but I can happily find other things to do if I can't access the systems I need to work (and they're going to pay me either way).
Next time you upgrade, keep the old phone. Have both phones set up so they can do mfa. If you are doing OTP, make sure to use an app that allows you to backup/export. AndOTP is very good if you're an Android guy.
I agree, mostly because of the lack of self-managed MFA mobility.
The ideal situation is for a site using 2FA to allow me to choose the 2FA application: Google Authenticator, Authy, OneAuth(I think), etc.
Tools like Okta Verify, RSA, Symantec, or SMS based 2FA make the phone a true SPOF. You can't have backup codes, you can't migrate installations. In other words, I hate forcing my phone to be an irreplaceable hard token lest I drop it in the river and have to do a bunch of resets.
> i can't log in to any of my banks without my phone.
What country is this? Are you sure they're not just heavily pushing for the use of the apps while still having an alternative? What happens if when you open an account you tell them that you have neither an Android nor Apple phone? There's probably still plenty of options for such phones, and it's hard to think they'd refuse to open an account unless you buy a phone of their choice.
Not true at all. If they are able to log into your e-mail, then things will start to fall apart. But just getting your phone will not allow anyone to break into your MFA secured accounts. Your phone is something you own, but they still need something you know (i.e. your password). I feel like you might get a more nuanced perspective by looking into security related topics, specifically around authentication.
I'd bet almost everyone is logged into email on their phone. If you can trigger a password reset over email, and can access the 2FA (SMS or TOTP app), you can get into just about anything.
The "nuanced perspective" here is that regular people don't use MFA authenticator apps. They use SMS 2FA, if anything. Once you accept that, you're right back to "smartphones as a SPOF."
Phones are encrypted and protected by a lock screen, or am I being naive?
So let's say you change phone numbers and FORGET to change one of the important websites that use that number for authentication?
Or you change phones, wiping the old one before selling it to your friend and setting up the new one from scratch?
Some websites are terrible/impossible at letting you recover your account when you've lost access to the phone number or the exact instance of the phone used for authentication.
This is why I stopped using authenticator apps tied to my phone and started using Bitwarden’s TOTP feature.
That's why I have three phones fully set up (two would be sufficient, but I just happen to have an iPhone and two OPs).
Technically you can also set up an additional Authenticator on your computer. But my bank authorization are either app based or phone number dependent - so one main phone featuring both and additional phone having the app set up.
I don't like it either.
Are you saying all of these systems enforce SMS-based 2FA rather than the sane choice of TOTP? That's unwise and unfortunate.
Many enforce 2FA through their own app, so TOTP is not an option.
It's the same plague, whether SMS or their own homebaked authentication scheme.
No, they enforce through their own crappy app which only works on few platforms.
To make things worse, if I install the app for my swiss bank on a different phone, I need to wait for snail mail to get the activation code.
I have a virtual phone number to receive SMS from all my banks and other services. Funny thing, their phone app doesn't work reliably, but their Windows app does. So I use desktop to log into all my accounts. If I lose both phone and notebook, it's easy to recover, I only need virtual phone username and password.
By chance I saw this:
It allows the data to be used on a second device, on the same SIM/number. Not SMS though, so this is going to be a limited solution. I also don't know how this works across the globe.It is not a smartphone, it is your phone number most of the time. It is binded to the SIM-card. You may switch the card to another smartphone if yours is broken, or order a replacement SIM-card of you lost it. The latter is done by your cell provider with your identity confirmation.
I haven't lost my phone yet, but it's only a matter of time before I get unlucky enough.
I'm prepared for it by using ProtonMail for my main email with (strong, memorized) password only, no 2FA and Starling for my bank, which allows you to log in with password + video of yourself.
But that’s kinda convinient [1]. The problem is, that there’s no real proper fallback/backup-plan.
[1] not only it’s convinient, it’s also similar to what all the future predictions regarding technology said. Some small gadget or bracelet connecting over air and doing stuff.
There is a backup plan. For corporate systems, contact the IT department. For banking, call the bank or go to a branch. TOTP-based schemes can be backed up and used on multiple devices. So on and so forth.
It just so happens that most of these backup plans are incredibly inconvenient and might take a long time and effort to get through them.
Something like that, ain’t a plan in my eyes. But yeah, what’s exactly what’s wrong with plan. God forbid you have to book appointment and arive somewhere to get it resolved…
> i can't log in to any of my banks without my phone
Glad it's not only my problem. Force banks to support TOTP. They will not do it voluntarily, they have too many "experts" selling dedicated app to the managements because "securitay".
Others have brought up 2FA. I've been looking for a simple (RSA SecurID FOB style) display device that only provides OTP codes. Does such a thing exist? I'm not even above buying a dozen of those old FOBs if it gets the job done
This is why I love (WebAuthn) security keys: it's completely separate from your phone (and easy to register a second/third key as backup for in a safe location) so you eliminate this whole class of issues.
I have a few yubikeys.
I have a folder with recovery codes.
I have a fully encrypted phone.
I can afford a cheap backup phone.
I never felt as secure as I do currently.
Partially thanks to Google and the effort they put in 2fa.
I'm happy to have that than needing to drive to my bank for a paper printout.
Because it is indeed the thing every one carries almost all the time. Can you do these things without your passport/ID/driving license before smartphone appears?
We've been perfectly able to do all of the above, for at least a couple of decades, using any computer and even smartphones of our choosing, until they started forcing those stupid phone-apps down our throat, as if we where in a galaxy far, far away and... "This is the way!"
Your choice of banks.
I still have my bank's physical code-slip and can sign in using it just fine.
My fiance's bank provided her with a small, calculator-looking battery-powered code device.
It’s a trade-off. It’s very convenient for me to pay with ApplePay. But there’s a risk I won’t be able to pay for groceries if my iPhone is out of juice.
It's a temporary phase, next generation phones will be surgically implanted under the skin so no fear of ever losing them.
No. An attacker could still, um, hack people (in a very literal way). Once you've stolen their implant, who knows what would be possible?
How do I backup all my 2fa that I have on my phone? I would like to have a backup at home in case of the phone being stolen.
Also interested in this. In Brazil, whenever you get your phone stolen, the robbers will screw you over by getting access to accounts and issuing pre approved loans to other accounts. I'd love for my 2FA to be tied elsewhere instead of the same device where I do transactions.
Doesn't 2FA include emails?
I always get my OTP verification codes (banking, corp login etc.) both on mobile and at my email id.
I have two smartphones for 2FA, one never leaves the house. But it would still losing one while traveling.
https://news.ycombinator.com/item?id=32397332
It’s a physical device with access control that is unique to a single human, three nines
What country are you in? I’ve lived in a few, and I don’t have any services that require my phone. Many have two-factor auth, but I just save the keys in my password manager which I can access from any of my devices.
Dude, what? How many services require SMS 2FA again?
Your phone is indeed a SPOF. If you lose your phone, you're fucked in a variety of scenarios. To say nothing of services that require a custom app and accept nothing else.
Yep! I have all of the things above (yubikeys, many PCs, a couple voip numbers with SMS, ability to emulate Android on PC, a host of old smarphones...) still, if I lose the one smartphone on which -that- custom app is installed, I'm hosed.
And I can't even install the app on a second phone, because: ah, ha! Only one at a time! There is no installing two, Luke. Only one there will be. (There you go... quotation inception.)
Thanks for addressing me as "Dude" and using the f-word!
1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".
2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"
> Thanks for addressing me as "Dude" and using the f-word!
Sensitive, ha?
> 1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".
Nitpicking and strawman argument. They're both part of, and compounding, the same problem.
> 2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"
Sure they "should", but they're often not offered... even if you insist.
And more often than not, the alternative options available take weeks of phone calls and visits to the local (if you're lucky to have one) branch office of your /whatever service failed you/.
I hate to put this to you, but your post sounds like a whinge on my language, dude
if only that was a way to prove who you are through some kind of system
oh I don’t know like private/ public key infrastructure that works well in crypto
solutions are clear
Then change the bank you deal with. At least in EU, this 2FA was due to PSD.
Please also note that any changes will impact some people. How often do you lose your smartphone? If every month then it is sad. You need to find a bank that still uses cheques etc.
No point in whinging. If something works for 90 % people then get used to it.
For example, I did not like joining facebook for my children's school nor whatsapp groups but did it as most of them did it.
Yeah, and it's this kind of sheepish behaviour, all the "for me it works", and the blame-the-user attitude, that lets things like this go down hill all the time.
Any system will affect some one. Do you my grandpa liked remembering passwords or compute or even pin? One could even lose passport or money. Dont you have backup? Like keeping some cash in backpack and some inside underpants. Get another phone.
I don't even like using word documents but every govt document like tax in my country is Microsoft based.
If developers reading hn do not care why would others care.
BTW, if so many people lose smartphones then banks would be flooded by support calls and they would own up other non-smartphone 2Fa.
Part of the point he's trying to make is that eventually there probably won't be a bank that isn't like this.
Did not world survive the ATM, pin, card revolution? Yes. Did 100% population like them. No. Did people lose cards ? Yes.
Yet we are here.
A phone is a lot more than an ATM or a plastic card. Some people don't want an expensive device that tracks you, potentially sucks you into distractions, and just flat out has a lot of undesired complexity. You shouldn't need one to do basic finances.
Also ATM's and credit cards didn't replace traditional methods, they're modern alternatives.
Furthermore a phone is the single one thing whose loss will cut you out of tens of services —at best—.
Cards are one-per-service. So if lose one, you lose access to one service.
Cards, you don't take 'em out of your wallet unless you have to use 'em.
Your wallet too, you don't leave it out on the table all the time while eating.
You don't take it out willy nilly to take selfies and panoramas, or to check the stupid notifications that you get every 3 seconds.
And when you do, it's only because you have to do wallet-y things, which you do —carefully—, perhaps even looking out for possible pickpockets and thieves.
All of the above don't need to be charged twice a day... in fact, not at all... and will still work as new, after a trip into the toilet, a drop from any height, a full blown stampede, or even a few cycles in the washing machine.
Your phone? Not so much.
And those slabs of glass and metal are often eye watering expensive. Enough to be more interesting to a thief, than even your wallet... All this, while we're continuously waving them around, in front of everybody...
So, do you really need to know how may times people "lose" their phones nowadays?
Why did gasoline become a single point of failure in automobiles? Why did the strings on my guitar become a single point of failure?
Creating redundancy for every dependency is not always practical or economical.
Terrible comparison. If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going. It's not gatekeeping anything, it's just a convenience.
Strings on your guitar can be readily replaced, and again, it's not gatekeeping you from your finances or your employment (unless you're a musician, but in this case I'm sure you'll have spare strings and instruments so that if one breaks you can carry on without much thought).
> If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going.
Not all of us live in an area where those options are available. But I can transport your arguments back to the OP post. You can still call your bank from someone else's phone. You can still walk into a bank branch or use an ATM. Using their website is just a convenience. If you lose your phone you can just get a new one and carry on without thought (replace it).
If you don't have you banks app, you can still go to the actual bank and tell them to do your transactions.
That's not so easy nowadays.
Firstly with covid-19 many banks don't accept walk-ins and have a long waiting list for appointments.
Secondly, what if the bank or other service i'm using has no physical offices at all?
Or what if they're simply too far away and I'm an octogenarian, perhaps with no driving license? Eh? Am I supposed to take an uber to somewhere 100/200 miles away just because morons are given decision-making power and myopic online-apologists on HN even make excuses for them?
Your argumentation is myopic. I'm not seeing anyone making excuses. I'm seeing people face the realities that few systems (if any) are without single points of failure.
Take the mobile app dependency away from banking. Then what? There's a dependency on having a computer. A dependency on having power and internet. Why did the banking system build around these single points of failure?
The reality of system design dictates that you measure risk in terms of what is acceptable vs not-acceptable, the solution on whether it is practical vs not-practical, and the implementation on whether it is economically viable. Raising a stink because your bank wants you to use a mobile phone for verification is like complaining that your car requires gasoline to work. Are there other ways of solve the problem? Sure. Did the solution they landed on meet their requirements, yes. I hardly consider them morons for going with the cell phone approach.
> Take the mobile app dependency away from banking. Then what? There's a dependency on having a computer.
A computer, but not necessarily the one authorised computer. You can use a public one in a library, a friend's, your employer's, etc. Not the same as your own and only authorised smartphone.
> A dependency on having power and internet.
This is honestly not even an argument, and they're not a SPOF. Both the power grid and the Internet have redundancies built-in.
> is like complaining that your car requires gasoline to work.
Again, it's not. The smartphone is used as a single authorised device. Gasoline works regardless of which station you purchase it from. Out of petrol? Fill it up at the nearby station and carry on. Or preferably, don't let it run out in the first place.
> I hardly consider them morons for going with the cell phone approach.
I don't consider them morons either. That's not to say I don't recognise this as a weakness.
> Again, it's not. The smartphone is used as a single authorised device. Gasoline works regardless of which station you purchase it from. Out of petrol? Fill it up at the nearby station and carry on. Or preferably, don't let it run out in the first place.
A mobile phone works regardless of which store you purchase it from. Lost your phone? Pickup a new one at a nearby store and carry on. Or preferably, don't lose it in the first place.
Again, a mobile phone works regardless of where you purchase it. Your banking systems, etc are not authorised to a mobile phone, though. They're authorised to the one mobile phone that was authenticated.
It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorise the new one before you can use their services.
In the case of the car, it's enough to just fill up the tank with petrol purchased anywhere. It's ready to carry on at that point.
Not clear your meaning. Are you referring to the mobile phone being used during 2FA auth flows? In this case, the authorization is not to a device but rather to a number on the cellular network. You can swap devices without your bank knowing and without disrupting your authorization. Are you referring to mobile banking apps? If so, again, the bank is not authorizing an individual device. The authorization is a sign in session on the app. You can swap phones and download the app very easily without contacting the bank.
> It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorize the new one before you can use their services.
Are you referring to changing phone numbers maybe? If so, that is a totally different topic from OP and also from my comments.
That was the point of my "argument". I was trying to point out how silly the original comment was.