It's rubbish. The circumstances that would make it even theoretically useful are rare and in practice it doesn't even work then. There is no reason to pay good money so you can be insured against alien abductions under a policy whose terms won't pay out even if you somehow actually get abducted by aliens.
> This is correct. But SMS 2FA is better than no 2FA.
The alternatives to SMS 2FA don't just include no 2FA, they also include any of the better 2FA alternatives to SMS.
Choosing SMS is like saying we should all bottle our urine in case we need something to drink later. There's juice and soda in the fridge and a tap full of water right over there, don't be crazy.
> The attacks you speak of are targeted attacks, where the victim and phone number are known.
How do you mean? Anyone who can snoop SMS gets a list of usernames and passwords from a data breach, tries them all against a hundred services, when that user exists on that service the service says "we sent SMS to your phone number at xxx-xxx-4578" so the attacker looks for any SMS code to any phone number ending in 4578 in the last ten seconds. Even if they don't have the phone number from the data breach, most commonly there is only one matching message, if there are two or three they just try all of them, and now they've compromised thousands of accounts on a hundred services because SMS is such rubbish.
On top of that, the targeted attacks also work against SMS. If you know the target's phone number you don't need to be able to capture every SMS to compromise them using SIM swapping or any of the other numerous vulnerabilities SMS 2FA is susceptible to.
> It's not snake oil, however.
It's a proposed solution with negligible or negative benefits over known alternatives. That's snake oil.
It's rubbish. The circumstances that would make it even theoretically useful are rare and in practice it doesn't even work then. There is no reason to pay good money so you can be insured against alien abductions under a policy whose terms won't pay out even if you somehow actually get abducted by aliens.
> This is correct. But SMS 2FA is better than no 2FA.
The alternatives to SMS 2FA don't just include no 2FA, they also include any of the better 2FA alternatives to SMS.
Choosing SMS is like saying we should all bottle our urine in case we need something to drink later. There's juice and soda in the fridge and a tap full of water right over there, don't be crazy.
> The attacks you speak of are targeted attacks, where the victim and phone number are known.
How do you mean? Anyone who can snoop SMS gets a list of usernames and passwords from a data breach, tries them all against a hundred services, when that user exists on that service the service says "we sent SMS to your phone number at xxx-xxx-4578" so the attacker looks for any SMS code to any phone number ending in 4578 in the last ten seconds. Even if they don't have the phone number from the data breach, most commonly there is only one matching message, if there are two or three they just try all of them, and now they've compromised thousands of accounts on a hundred services because SMS is such rubbish.
On top of that, the targeted attacks also work against SMS. If you know the target's phone number you don't need to be able to capture every SMS to compromise them using SIM swapping or any of the other numerous vulnerabilities SMS 2FA is susceptible to.
> It's not snake oil, however.
It's a proposed solution with negligible or negative benefits over known alternatives. That's snake oil.