Even worse than Antarctica might be working in a US DoD "vault" or SCIF. Many of us encountered this problem in recent years as various DoD organizations bought into O365.
For a while, I had to enter a password and then get an SMS authentication code once every 24 hours to login to Teams. The problem is that cleared spaces don't allow any personal devices (there's no cellular service anyway with TEMPEST hardening) and the unclassified (NIPRNet) workstations are usually blocked from connecting to websites like Google Voice and some commercial webmail services. The authentication code would timeout after five minutes, and that didn't always leave enough time to exit building, get to my phone with cellular service somewhere, and then re-enter the building and return to my workstation with the authentication code. If you always worked at the same desk, you could set it up to make a voice call to that desk phone number for authentication, but I didn't always work at the same desk.
My own solution was to use my personal Google Voice number for the authentication code, have Google Voice forward those messages to my personal Gmail inbox, and then have Gmail forward those emails to my official DoD email inbox. (Our official email wasn't yet on O365 and only required our smart cards to login, which later became the method for O365 login, thankfully.)
>my personal Google Voice number for the authentication code
A lot of financial institutions do not allow gv/voip numbers anymore. So, I've had to add one more layer to this, namely forwarding sms from phone to gv, which then goes to email. It looks like there aren't great solutions for forwarding sms to email directly on android, but there is an sms forwarder app on f-droid that works for forwarding to gv.
> It looks like there aren't great solutions for forwarding sms to email directly on android
You can also do this with a Particle board or some other similar embedded device running code on bare metal instead of an Android phone. The advantage being that you won't fall victim to a Java crash or software update, and you can probably set up a watchdog reboot on it.
This seems insane to me. If I were in this situation, I would simply not use Teams if I can't log into it. The only way to get situations like this resolved is for the pain to be felt by someone with the power to change it. Absorbing the pain yourself by working around it is just enabling these things.
Who has the power to change it? How do you make them feel pain? Is this the hill you want to die on? If you can't suffer the asinine 2FA problems while trying to get work done on your glacially slow PC in your 88F office, you will not last long enough to make change. More accurately, you'll probably be able to stick around forever, but without promotions, approbation, or influence.
The answer is to be heroically productive, despite all these ridiculous obstacles, and then to use your reputation to build a base of opposition within your organization from which to fight these problems. If that sounds hard, exhausting, and thankless, then you have your answer for why these things don't get fixed.
It doesn't particularly matter who has the power to change it, but it's probably near to the top of the organizational structure.
>How do you make them feel pain?
The way I see it, either:
1. Teams is crucial and not being able to access it easily means eventually things that are important to the people at the top of the organization are missed or take too long. This is the pain you can make them feel. You presumably have your ass covered by raising your issues in writing earlier, so the blame ultimately doesn't rest with you.
or
2. Teams was never important, so not being able to access it easily turns out to not really be that much of an issue for anyone who has any kind of influence.
>you will not last long enough to make change
The person doing this is not trying to make change. Rather, the whole point is to stop insulating decision makers from the consequences of their decisions.
I love your indignation; it validates the way I've felt about various things over the years, so you deserve some explanation of the culture and my thought process:
I'm reminded of the investing maxim that "markets can stay irrational longer than you can stay solvent." I'm a military officer who's not yet senior enough to be vested for retirement benefits, but senior enough to be within striking distance of vesting after 15+ years ("golden handcuffs"). The career model for officers is also "up or out" and every year counts (i.e. one needs to remain within the top 50% of performers who've also devoted the last 15+ years of their lives to this). If it takes the bureaucracy longer than a year to change something stupid, I need to be very thoughtful about what stupid things I choose to protest with disobedience. Furthermore, as someone who works in the IT part of the organization, saying that I can't figure out a way to stay logged into Teams would be an especially bad look. A significant part of my job at the time was helping non-IT people to find solutions for stupid IT problems while advocating for changes to the IT people above me.
It's even worse when you consider the DoD at least have multiple functioning internal PKIs and issue smartcards in the form of the CAC and others to all its users.
I'm sorry, we don't want your fancy crypto, please accept this insecure SMS.
To be fair, I guess it's a product of being an organization of three million people who are globally dispersed, working in every conceivable environment. There are a lot of edge cases. So while smart card login was better for my case, other people worked in situations where username / password and SMS authentication was a dream. At the same time, we want everything to be uniform and interchangeable, because we've seen that patchworks of incompatible solutions can be even worse.
You can use the voice call method of MFA on Teams, send it to a Twilio number, and use a Twilio Studio workflow to automatically pick up and press # a few seconds later to confirm.
I wish there was some credible government authority to clearly tell services they cannot offer SMS only 2FA, they cannot limit to “mobile phones only” (ie no Google voice), and they can’t restrict TOTP to one off proprietary tools like Authy. “Person is within USA with mobile phone plan” is hardly an authentication scheme.
And also that they must offer users the possibility of disabling SMS-based authentication if another scheme is enabled.
On Microsoft 365, if you setup "forced MFA" on your organisation, then they additionally force users to add a phone number which can be used for account recovery.
I get why Microsoft wants to keep account recovery possible in this manner, but I am not someone who needs it, and there needs to be a way for me to make my account more secure where my phone company can't take over my account...
You can actually stop the MFA onboarding process when it asks for your phone number—just close the tab or window. You’ll still get TOTP or whatever else you already configured. It makes it sound as though you also need to add a phone number, but you don’t.
Phone companies should have banned SMS 2FA as an abusive use, or at least charged extra for senders. What it does is offloading KYC to mobile phone subscriber databases.
It is in all the parties’ best interest (too big to fail business, mobile network, and the government). No accountability, low cost, and the ability to finger point.
You don't even need to move to Antarctica, just moving to a different country is enough to experience a lot of SMS pain. Many companies are hardcoded to only allow SMS to numbers in the same country code. Even if you work around this by bringing a SIM card along (meaning paying for a plan, keeping it topped up, etc), you can still run into issues if they're sending SMSes from an country-specific short code and you ever need to reply for any reason ("Is this transaction fraud? Reply Y/N in the next 10 minutes or we'll helpfully cancel your card!").
I've been lucky enough to have my phone number for the past decade and all of the services I use have already authenticated that number. When I moved to Europe earlier this year, I ported my number from BIG_NAME_CARRIER to Google Voice and so far everything has been fine.
That said, I'm still vigilant for alternative login options when I see them because I assume sooner than later, some company will audit all customer numbers on file and realize mine has changed from `mobile` to `voip` like mentioned in the article.
I think the only ones still tied to my number are a credit card and a neobank, but I could theoretically live without those.
I've been travelling for the last two years. With Wifi-calling, I can send/receive calls and text messages just fine. The only caveat is when I am outside of wifi I have to turn a hotspot from the other phone.
gave my number to bank to send me TOTPs, and then moved away literally dozens of thousand km away to find out that roaming is not enabled by default (had to buy a new sim card from new carrier), you have to visit office in-person, and on top of that, bank wouldn't send SMS to foreign numbers, so my card is good to cash out basically, forget the online payments
I'm from a small and flat country and no matter where I've been there's always been reception, so I understand the assumption that some people might make that everyone is connected all the time.
But I've been traveling around in the UK and I know you shouldn't take reception for granted. In Malvern, Worcestershire there's no reception in some parts of the city, and in Wales I only have reception in the cities.
We had a situation last week where we were setting up a tool, and I couldn't proceed because they required 2FA through SMS, not a great first impression.
I also don’t like giving my permanent, cross-app cross-company tracking identifier to those with whom I am doing business, allowing them to buy tons of additional data about me from data brokers (and selling my transaction data back).
Phone numbers are commonly used for this. I change mine monthly.
Leaving the Android phone at home and forwarding SMS with IFTTT is an ingenious approach. A similar solution with an iPhone at home could be accomplished with text message forwarding enabled in iMessage: https://support.apple.com/en-us/HT208386
I had a close call a couple of years ago when I had to travel unexpectedly and discovered that my phone provider’s new wholesaler relationship didn’t offer SMS roaming. Since I suddenly had to use a government app to get back into the country and the only MFA I believed they offered was text message, I had a little panic. Fortunately I got in with an email or something, but I quickly changed mobile providers for this reason.
It’s taken me until now to have a personal TOTP process robust enough to want to move my stuff across. When I get back from my current travels, it makes sense to try to move as much as I can to my new, synced, backed-up, personal authenticator solution.
As an additional option, if you use the Android/Google Messages app, you can link another device/laptop and any communications are bounced through Google's cloud, but End-to-End encrypted. I use this all the time from my tablet I take into the Data Center, and frequently leave my phone upstairs. Keeps support for RCS as well.
Additionally, you can also use Google Fi, which supports the same messages app, and syncing the messages and responses like Apple's iMessage, just by logging into your Google Account after a little setup. I believe it's also intercepted upstream, and isn't reliant on another device being powered on.
I got a TOTP card from Bank of America like 10 years ago. Ended up screwing me a bit when I lost it and then couldn't make changes to my account... I personally kinda hate 2FA now.
If you qualify (you’re a vet or anybody in your immediate family is), navy federal is pretty friendly with both global access and multiple 2FA options including SMS to Google voice. Their primary customer base is armed forces who will login from abroad and not have access to normal SMS.
I have the same issue in Canada. The bank I was using dropped support for email 2FA and only supports SMS now. I look at the alternatives and they all only support SMS or a custom app. There are a few that don't support 2FA at all which I assume just means that they are slow and will push me into SMS 2FA in a few years.
I would love to switch to a bank that supported TOTP.
This is trivial for Android phones running the Google Messages texting app. Go to https://messages.google.com, scan the QR code with the Messages app, and now all your text messages are accessible via the Messages Web site. Bank auth codes work fine (at least for my NZ banks).
The problem with using phones is that they're very much intended to have someone poke at them, and they're not intended to stay on charge 24x7.
I've got a work phone in front of me, all it's used for is getting 2FA prompts (SMS and Duo). Yet randomly I'll find it's rebooted for some update because the manufacturer has decided that I have to have it, and now I have to unlock it to launch Duo. I have disabled updates as much as I can, but it still gets some periodic updates.
I ran a bunch of Android tablets for a while, and their batteries swelled up over time because they sat on charge all the time.
Maybe if you can run a custom ROM to achieve some of this. But it's not an option for my 'work' phone, since the Manufacturer doesn't allow unlocking the boot rom.
My point is not all devices are equal, and I think if I was going somewhere remote I'd probably choose not to rely on a phone.
I have two pixel 4 (seen in the photos there) and I have noticed two things:
> 1 year uptime with no crashes or reboots
Android (whatever version) informs me that it's not charging fully for blah blah battery reasons ... which is to say, it is in some way smartly conditioning its own battery.
I can't say any more about it since this isn't my area of expertise but at least with these pixel 4a devices, these issues aren't present.
Seems like they could have one of those mini femtocells that cellphone companies will send you if you have no reception at your place - these just plug into your home internet and then rebroadcast a 3G or 4G signal. I still have an older 3G one from Sprint I am keeping around (probably wont even work anymore).
One of these could temporarily be plugged in on request - they could have just a few of them (at whoever is head of IT) for different carriers just for this situation.
Each simultaneous call costs you ~100Kbps. An SMS is 140 bytes, and limited by desired SMS throughput. I use a T-Mobile femtocell with a SpaceX Dishy, but VSAT (64 Kbps up to 8 Mbps) should be fine for SMS only.
McMurdo could run their own BTS and provide SMS access only to mobile phones if the desire and funding was available. This would give you a legit mobile network registration.
I haven’t heard of femtocells and now wondering why we don’t use these instead of WiFi? In my experience LTE connections are much more reliable than WiFi - rarely having mobile data issues but WiFi won’t work in the next room.
In Dubai apartments are full of these things that you the phone company just shows up and plugs in; they connect to the building fibre rather than being linked to you personally or you personally paying for them https://www.reddit.com/r/dubai/comments/on8gdh/we_recently_m...
Why use femtocell over Wi-Fi? It costs same as normal mobile data usage (maybe it depends). It's generally slower than Wi-Fi because not much bandwidth is assigned for it. No LAN connectivity. Its routing isn't optimal for just internet access because it routes home-ISP-internet-mobileISP-internet, instead of home-ISP-internet.
I have one of those. It requires a GPS signal to work, and instantly stops working if it isn't at your registered home address, which I assume cannot be Antarctica.
I also have a phone number solely for MFAs, and phone is in drawer at home. Battery is good for weeks, so not plugged in. Every incoming SMS, an app forwards it to a Google Apps Script, and GAS pings my telegram bot, which sends it my all devices with telegram installed.
If you want your phone that is capable of running apps to last for weeks on battery, the big trick is to make sure it doesn't actually run apps for the most part. The second part is to make sure it has good reception. Also, disable any radios you don't need, etc.
If you took a random Android, put in a sim, uninstalled or disabled as many apps as possible, and left it screen off where it had a good view of local towers, you'd have pretty good battery life. It wouldn't be very exciting... but if it just needs to sit in a drawer (hopefully not a metal drawer, see reception issue) and forward a couple sms a week, it'd probably make it through at least one week.
If you go for a model that has a higher capacity battery as a feature, that'll help too.
My work iPhone 11 will run for a week in low-power mode - the battery is pretty large without the screen on with a bunch of apps keeping the CPU and cellular radio warm. I use mine mostly for MFA messages & Exchange when away from my desk and that’s a lot more power-efficient than I thought.
Yeah, I thought about low power mode but at least on my Samsung phone that kills basically all of the background apps/services, which would include any forwarding service. Or well, you can choose to allow background stuff but that's where the battery savings really kick in. I guess I haven't actually tried it with zero direct usage of the screen or phone, maybe it could last that long...
Its Huawei Honor Nova 5T, about 2 years old, with location and data off, network on, wifi on, and no extra apps except stock & that one sms forwarding app. I believe Android 10 or newer.
Its at my home, I go there every day. I usually see it when battery is around 10%. Its USB C, so charges pretty quickly like in minutes. I can use the same charger I use for my regular phone.
I wonder why OP hasn’t mentioned CAP schemes [1], which I’m sure has to exist in the US, too?
For example, I’m using a domestic CAP-like system (dubbed Secoder in Germany) for several of my bank accounts. It exploits the fact that your ATM card is a trusted computer with a built-in digital signature/HMAC feature.
You have to spend 20 € for a small battery-powered device, which features a card reader, a display, a PIN pad and a camera.
(There’s also a USB-based variant without batteries and camera.)
On each online transaction, you insert your card and point the camera at the QR-encoded challenge on your computer screen. The display then asks you to confirm recipient and amount, and if you do, it sends the whole thing to the ATM card, which then shows you the 2FA code based on HMAC.
CAP seems to have become a niche thing as everyone is preferring apps nowadays, and those are much cheaper to maintain. I still think the CAP system is superior to apps, because it’s offline, carrier-independent and easy to use.
Considering that they haven't deployed chip cards until mid-2010s it's unlikely that this even exists (and indeed this was not available on any US banks).
The main problem that OP is experiencing is that the services that they need to access only support SMS 2FA. Talking about a different unsupported scheme doesn't seem relevant.
This may work for some services but there is going to be at least a few that are hard to replace and only support SMS.
At least in my experience trying to find a Canadian bank with reasonable 2FA they were all either SMS or a custom app. So I just sucked it up and stuck with my current one because there was no choice.
Leaving your phone charged for extended amount of time like this is really bad though. The battery will swell (fire hazzard), it's just a matter of time when. Sometimes you're lucky and it took a year or more for the battery to swell, sometimes it swells just after a few month. The compromise is probably put the phone in a fireproof surface instead of a drawer.
This is a great idea. Can even automate it using home assistant for precise control if you're using android. Home assistant's android client reports battery life to your home assistant instance, so you can write an automation that switched on a smart switch connected to charger when the phone's battery <50% and turn off when it's >95% (or other values optimized for battery longevity.
I have a 5 year old Sony Xperia ZX which has had "battery care" enabled (possibly by default) since I bought it.
It charges the battery to something like 85% until shortly before my alarm is set, or the expected time I'll unplug it if no alarm is set. There isn't a way to manually control this, beyond changing the alarm time.
However, the battery is still going strong after 5 years.
Not sure. I actually had an iphone with battery so swollen, the screen got popped out of the frame by itself. Maybe newer iphones is better at this stuff, but why risk your house burning down when you can take some precaution regardless the type of phone you use.
Modern phones have an option to stop charging at 85%, which mitigates some of the issue as well as extending the battery lifetime. The main thing is the battery needs to go through charge cycles, sitting is death.
Wait, what? Aren't batteries and chargers smart nowadays? I thought they automatically care about battery health no matter what the user does (apart from deep discharging of course)!
"I have an AT&T number ported to Google Voice. There isn't any service out there that thinks it's a VOIP number."
This 'lookup' script that I wrote will properly identify your number as being owned by google voice:
/usr/local/bin/curl -s -X GET "https://lookups.twilio.com/v1/PhoneNumbers/$number?Type=carrier&Type=caller-name" -u $accountsid:$authtoken | /usr/local/bin/jq '.'
... given any phone number, I can see, using the twilio API, where the number currently terminates to and who "owns" it - including subscriber name (ie., your name).
I'm glad it continues to work for you because it should and you should be able to use a gvoice number in this fashion but ... you've just gotten lucky so far.
Not sure what bank you use, a few banks immediately unenroll your phone number when you switched carrier, most likely as a protection mechanism against SIM swap.
Below is one of the emails I got from Chase:
```
Dear Customer,
Our records indicate that you may have recently changed your mobile service provider or mobile phone number. As a result, Chase services that use this mobile number (such as text banking, text alerts, Chase QuickPaySM etc.) may have been disabled.
I ported a Verizon number to Google Voice ten years ago and I've used it as my primary phone number ever since, forwarding to my MVNO carrier number. I'd say it works fine with 95% of services, but I have run into some issues. I remember Uber being one service that rejected it. I stopped using Uber when I got a new SIM card for a new carrier, and I had trouble recovering my account which had to be tied to my old carrier number.
Nothing is automatic about this process. It is fairly common for calls to or from ported numbers not even to be connected if one of the ends is currently at some obscure small-time carrier. Failure of e.g. caller ID is even more common.
You can send and receive SMS using Wifi only (VoWIFI) which most carriers support even the cheapest MVNOs. It's usually referred to as "WiFi Calling"
Again, you DO NOT need a cell phone tower to send and receive SMS and phone calls. You can register your phone on its home network near a tower and go WiFi-only forever after.
“ One issue is that the protocol for wifi calling is notoriously opaque. Carriers frequently change the underlying infrastructure and protocol details.
Also, the protocol assumes terrestrial broadband with reasonable latency and bandwidth. At McMurdo, as of this writing, latency to terrestrial locations is in excess of 700 milliseconds. Usable bandwidth for any given end user can vary widely, down to a few dozen kilobits per second.
The protocol also doesn’t expose any useful diagnostic info to the end user in order to troubleshoot. You just have to cross your fingers that the magic “wifi calling” icon lights up.”
"You can register your phone on its home network near a tower and go WiFi-only forever after."
This is how it works on paper. You may have had success with this.
It does not work universally. It won't take long to find a bank / FAANG / service provider that refuses to accept anything but a bona fide mobile SIM talking to a base station.
> It does not work universally. It won't take long to find a bank / FAANG / service provider that refuses to accept anything but a bona fide mobile SIM talking to a base station.
How does a SMS sender know this? Is there some mechanism in SMS to only deliver if by certain criteria?
You can use a handset with its SIM card on WiFi without a tower ever again if you provision the SIM card on its home network once. Nobody is suggesting using anything but a handset.
I recently went on an international trip where I turned off my regular cell plan and used a local SIM card. Was surprised at the amount of services I couldn't log into because I was avoiding connecting my regular number due to the high international rate.
> How does this work for phones with eSIM? Can you be in multiple phone networks at once?
Yes, you can, and it’s much easier with eSIMs because they can be just be turned on and off through your phone settings as needed.
In this scenario you’re obviously trading redundancy for convenience - if you break your phone, you can’t just pull the eSIM out and pop it into another device. I keep a copy of my eSIM QR codes in 1password, but of course there are risks there too.
Dual SIM handsets are widely available. You can even configure your phone to use data on one sim and voice on the other, and to use VoWiFi with one sim over the data plan for the other. It's wild.
Pretty good solution. I’ve seen online services that will “virtualise” a phone and give you access to it in the cloud. Pretty sure it’s just a cheap android on a rack.
I’ve thought about using one a few times, when going travelling overseas for extended trips.
Sorry if I'm a security noob but I have a genuine question.
Why at the beginning I need to use 2FA if I can remember secure enough passwords (or use password managers) and I'll not stupid enough to give the passwords away easily?
"Sorry if I'm a security noob but I have a genuine question. Why at the beginning I need to use 2FA if I can remember secure enough passwords (or use password managers) and I'll not stupid enough to give the passwords away easily?"
Glad you asked ...
... and your comments children are not just wrong, but completely misunderstand the ecosystem they are discussing.
Mobile telephone 2FA is not for you. It's not to help you - it's not for your security. All of that is bullshit - and demonstrably so[1][2].
What is actually happening is that FAANGs, etc., have a brutal, unrelenting spam/scam problem which they have no idea how to solve.
Forcing every user to burn a phone number tied to a physical SIM card is their last-ditch attempt to throw enough sand in the gears and stay above water.
It sort of works.
It's very painful for end users, introduces all kinds of strange inconveniences and probably doesn't stop determined abusers ... but it seems to work better than anything else they've come up with thus far.
But make no mistake: It's not for you. It is not for your security or safety.
[1] Post-signup challenge to user - help us prove your identity by entering in a phone number you've never shown us before.
[2] Interestingly, very high value logins like brokerage and banking typically allow other forms of 2FA that don't involve burning a mobile number because those firms already have many other routes of identification and verification.
In this case 2FA is useful if someone sniffs your password (key logger) and uses it later to try and fail to log in without your presence. Many wireless keyboards don't use encrypted comms. Keyboards can be bugged easily. There is tech to observe to thermals of keys after they are pressed from a distance. And listen to key strokes. Or capture wirelessly transmitted keystrokes with a parabolic dish pointed at you from across the street if you are far away and an SDR or ASIC. Or a compact omni antenna in a backpack sitting next to you if you are in a public area. The possibilities are endless!
These are all CVEs of security issues in the proprietary firmware of wireless input devices, that lead to either eavesdropping or input injection or both.
> I'll not stupid enough to give the passwords away easily?
Don't underestimate a determined adversary. Secondly, look for single points of failure and eliminate them as best you can. If someone gains access to your email, could they perform password resets?
Probably quite costly for the device, but would a Iridium phone number work?
Such [1] a device should (not tested ;) have connectivity, even in Antarctica.
I don't know of course if the same filtering for MFA-SMS applies if the number has a +8816 or +8817 prefix.
the phone in a drawer solution works basically by default on apple devices. Very common solution in outback Australia (satellite internet only, no phone coverage)
Just thinking aloud here - would you need to disable all automated updates on iOS before doing this, lest the device do a reboot for a system security update, and end up on the lock screen?
There's probably some interesting failure modes when trying to get a modern device to stay connected for months on end, without deciding to reboot for a security patch or similar, or taking an automated app update.
I always have to enter the password to start an install. I’m not sure if there’s a failsafe after some period of time since I usually install day-of but I usually wake up to some nag saying it couldn’t be installed overnight because I didn’t authenticate, and all of my devices are set to install automatically.
Note that there is a difference between regular "locked" and the "locked" after a reboot. For the later most of the disk is still encrypted so very little data and few services are operational. You can likely recieve text messages but I doubt much of iCloud syncing works.
So with forwarding on, if you receive a garden variety SMS (green in iMessage) it will forward on as a normal (blue) iMessage over IP to other iOS devices on the same account?
yes. it comes up green, but is delivered to all other same account iCloud devices. you can reply too, and it works it out. I send and receive SMSs via my MacBook and iPad.
same here, but not about MFA, to complete transaction using one of Indonesian payment gateway only allowed within 1 minute XD slow phone opening OVO app + slow internet would sometimes failed, receiving push notification, loading app took 40s total hopefully entering pin and submitting within 20s
even other payment gateway have 5 minutes at least
I'm currently using a Twilio trial U.S. number to receive SMS from a certain bank. Redirected them to a Matrix.org channel using one of those nocode services (although writing a script for it would be trivial, too). I'm travelling a lot so having free slot for a local SIM is a major benefit :^)
I strongly suggest not using TOTP, HOTP or similar MFA solutions based on a shared secret if security is important. It is basically the same as storing your password both at your provider and in your phone in cleartext. With SMS you have at least the possibility to do auditing when a token is generated.
The problem with SMS is that it is allegedly trivial to convince a telco to port someone else's number to the new burner SIM you just bought. That seems slightly worse than shared secrets to me.
SIM swap attack is really baffling to me. Over here, even if someone gained access to your account and initiated porting, you still need to go the store and present your ID to complete it.
Social engineering is really powerful, since the people you are engineering usually have elevated access privileges. In the ID scenario, presumably there are fake ID providers one could use, although with facial recognition in common use, maybe that scenario becomes harder.
It's a second factor anyways. If the provider is fully compromised it doesn't matter much if the attacker can get the secret. If the secret leaks the password is hopefully hashed so attackers still can't get in.
I'd much rather have a reliable method of 2FA that works offline, on all of my devices and can only be hijacked from me or the service than use one that requires my phone to be nearby, working and having service and can also be hijacked by my phone company.
I don’t understand the need for a separate phone. Couldn’t you just have a family member install IFTT and receive SMS codes? IFTT could be setup to forward the codes to a separate gmail account that isn’t used for anything else but for you to access these codes.
If the family member uses the same services as you this won't work without a second SIM and multi-SIM devices are rare in the US. (Getting better with eSIM though)
MFA futility, in its final form, is trying to log in to services on a submarine. On the bright side, you at least get the benefit of knowing immediately that the situation is completely hopeless.
Pushbullet SMS forwarding is another phone in the drawer solution. I think they also offer end-to-end encrypted SMS forwarding. Of course highly dependent on Pushbullet infrastructure.
Just use Google Fi (cheapest $20 plan with no data) and the website for SMS (and calls). I ported my at&t number there and i am living abroad currently
You could probably use Twillo to make this work. It would require some coding to forward the SMS to email or post it to a website someplace where you could read it. I have done this in the past (outside of Antarctica) for 2fa that requires a certain DTMF tone be pressed and I only had an old Western Electric Model 500 phone at the time. Twillo worked great for that, but it's been years since I last did it.
The downside to doing what I did is it basically removes 2fa. You are back to a single factor as the 2fa is now automated and that may not be appropriate for many use cases.
For a while, I had to enter a password and then get an SMS authentication code once every 24 hours to login to Teams. The problem is that cleared spaces don't allow any personal devices (there's no cellular service anyway with TEMPEST hardening) and the unclassified (NIPRNet) workstations are usually blocked from connecting to websites like Google Voice and some commercial webmail services. The authentication code would timeout after five minutes, and that didn't always leave enough time to exit building, get to my phone with cellular service somewhere, and then re-enter the building and return to my workstation with the authentication code. If you always worked at the same desk, you could set it up to make a voice call to that desk phone number for authentication, but I didn't always work at the same desk.
My own solution was to use my personal Google Voice number for the authentication code, have Google Voice forward those messages to my personal Gmail inbox, and then have Gmail forward those emails to my official DoD email inbox. (Our official email wasn't yet on O365 and only required our smart cards to login, which later became the method for O365 login, thankfully.)