Using eSim on dual sim phone for 2FA via SMS

I am in a situation where one of my financial accounts only uses 2FA via SMS. I could get a separate phone that I keep at home, but that will be expensive. As an alternative, my existing unlocked iPhone XR supports dual sim, so I could get an eSim from a prepaid plan like Tello or US Mobile then limit the plan to the absolute minimum (i.e. zero data and limited text/voice.)

My threat model is heavy on the security side, and less so on the privacy side, so I don’t want the expense and hassle of switching to a CalyxOS Android phone. Does this seem like a reasonable approach? Does it eliminate the possibility of being targeted with a sim swap attack?

Absolutely not.

A SIM swap attack is possible for one simple reason: you do not actually own your phone number but instead ‘rent’ it from a service provider. Even though the common name for the vulnerability implies something to do with physical SIM cards, in reality any phone number is susceptible no matter what service might be connected to it.

To minimize the likelihood of a SIM swap attack, you need to think purely about the policies your service provider has in place to prevent unauthorized changes to your account. Cellular providers nowadays tend to require an account PIN for customer service purposes, but I expect it is still possible to social-engineer around the PIN requirement due to their catering to extremely non-technical people. Many VoIP service providers are probably a fair bit less likely to be social-engineered due to an expectation of tech savvy and self-service. Google Voice is just about as resistant to SIM swap attacks as a phone service can possibly get — because Google offers no support whatsoever (at least for the base free plan).

5 Likes

SIM swaps are a big deal and you can only react to them as fast as possible. The network service provider leases the number to the client. The provider doesn’t place any guarantee over the lease that implies they own the number - and it takes maybe 20 to 30 minutes of social engineering to gain access to the number of any individual. The protection offered by Signal means that you cannot recover old messages without a backup of them which are on the old device, now the attacker’s device. So you only gain the ability to reset passwords to accounts with SMS 2FA. That’s why nobody uses 2FA with SMS - to mitigate losing access to an account if they lose that phone number. It’s an archaic and useless method of authentication.

2 Likes

Thank you both for the reply. At this point, I’m confused about what the best plan of action is. I can’t move away from that particular provider, so I’m stuck with using SMS based 2FA on that account. What should I do to minimize the security risk?

Use a strong base password generated using a password manager. Ensure all password resets go to an email with strong password protection. If SMS is required to verify, and there’s no way to use OTP, then it’s all you can do.

1 Like

I’m already using BitWarden to generate long, strong passwords and my password resets go to an encrypted account that has a strong password and OTP, so I have that covered. Do you think there is any benefit to using a separate phone number that is only used for SMS 2FA codes and nothing else?

Yes. I think you should practice having a phone for only 2FA via Aegis, Authy or Bitwarden. Whatever the choice, offline is better. You’re using it for just authentication and so it’s best to not bundle your OTP codes in your password manager for another degree of separation. Then you would have offline OTP coupled with a strong password to your accounts and another password manager which also has a strong password and is kept offline when not in use. The “keep it offline” step puts you a cut above most, as is. Take it further yet by optionally using a separate device for all 3: one each for your manager, OTP generator and your daily driven device.

1 Like

No, not really. It just seems like a pointless inconvenience and a waste of money, unless you wish to disconnect that particular service from your other phone number.

SMS 2FA isn’t going to be made stronger based on the phone number you use, unless your main number is for whatever reason a high-value target (e.g. celebrities) or attached to a service provider that is notoriously easy to social-engineer. All you can really do is hope the service in question switches to a secure form of 2FA sooner rather than later.

In my experience all providers can be social engineered, it just takes more steps for certain tier providers than it would others. Prepaid providers are easier than others, but the others are still pretty easy as well.

Please don’t recommend anyone use Authy.

Authy makes it as difficult as possible to switch away from their service, is fully proprietary and cloud-based, and offers no real reasons to trust their security.

If you are going to partially negate the premise of 2FA anyway (something you know + something you have), Bitwarden is a far better choice of cloud-based TOTP generator. This is still true even if you keep your passwords and TOTP together in the same vault, as long as that vault is secured with strong 2FA like a FIDO2 WebAuthn hardware security key or even TOTP generated offline with Aegis.

The ideal way to have a synchronized TOTP setup would be to use a KeePass database synced offline via Syncthing or a self-hosted Nextcloud server (or similar).

Do not use Authy.

I actually have an old Moto X I could load a TOTP app on. I took the sim out and factory reset it long ago, so I should be able to use it strictly offline to get TOTP codes. I wouldn’t use Authy though. They hide the seeds which makes it difficult to impossible to recover them. Aegis is good though.

I never recommended it. I don’t recommend it. I only recommend open-source and audited software.

Don’t put words in my mouth.

Got Aegis loaded on the old phone and it’s working great with all wireless communications turned off. I’ll migrate my TOTP protected account seeds there, back them up onto an encrypted drive and remove them from my other authenticators.

As far as that one account using SMS 2FA, I’m just going to have to live with it, but I will keep pestering them to add hardware key support or at least TOTP support. Thanks to everyone for the assistance, it’s much appreciated.

2 Likes

There is a way to recover Authy’s OTP seeds. The link refers to an Authy to Raivo OTP guide, but steps from 1 to 7 are enough in any case.

Good to know, thanks for that. I’m sure it will help some people, but IMHO it’s still not easy or even feasible for someone who isn’t very technical. Personally, I think it is really slimy of them not to allow users to export, view or otherwise backup and recover the seeds other than through their cloud service.

4 Likes