1Password SMS 2FA Service

Options
whenders0n
whenders0n
Community Member
in Lounge

This is more a feature suggestion than a question, so please let me know if it's the wrong place to share!

A huge security problem is websites using SMS to implement 2FA, or having a phone-based "fallback" for when I lose my 2FA token. I see this as a problem 1Password could solve for its users. Specifically:
1. 1Password would offer a paid service where you get a designed phone number that you provide to websites that use SMS 2FA/Fallback.
2. 1Password would pinky-swear promise that this number is perma-linked to your account and can never be ported anywhere never ever period.
3. When logging in to this website, the service would send an SMS that 1Password receives and forwards to the 1Password client
4. The 1Password client receives the code and enters it, making the user experience identical to using a token-based OTP.

And for anyone looking for an interim solution: you can use a designated Google Voice account for this purpose. I am told it is hard or impossible to social engineer Google into porting a number out, and at the very least this designated number is much harder to know than my everyday phone number.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:i would really love to see 1password have a paid service where you get a textable phone number for SMS 2FA and they pinky-swear promise that it can never be ported anywhere ever

Comments

  • XIII
    XIII
    Community Member
    Options

    I "hate" SMS 2FA and love this idea.

    However, I wonder whether it's commercially feasible for Agilebits (I have no idea how costly it is to purchase a lot of phone numbers and handle a lot of SMS messages).

    In an ideal world nobody would be using SMS for 2FA, but unfortunately that's often the only (and required) option...

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    It's an interesting idea, but it doesn't address the actual fundamental problem with "SMS authentication": SMS is entirely insecure. Google Voice is a great option for a lot of reasons other than security, but if you try to use it for this purpose enough you'll find that many services do not work with it in order for you to receive SMS there, as many are using country- and carrier-specific messaging (I often have to choose from a list of cell providers, which of course Google Voice is not one, and haven't found that I could "fake" it and get it working by selecting anything else). Fortunately TOTP is an open standard with zero costs, so more and more services are adding support for that, almost certainly so they don't have to pay messaging fees. But yeah, SMS can't go away fast enough. :)

This discussion has been closed.