robertclarke.com

Apple needs to remove mandatory SMS-based TFA

August 07, 2019

Apple needs to remove mandatory SMS-based TFA

I recently did a security audit of my personal online presence and was shocked to find that Apple now makes it mandatory to keep your SMS-based two factor authentication after initially enabling it. Yes, that means that if the guy at the Verizon store decides to hand out a new sim card registered with your phone number to a fraudster, someone will have a great day at your expense.

At this point it’s fairly common knowledge that phone numbers stink as identity proof. The countless cases of sim-swapping incidents, primarily targeting cryptocurrency investors, are a visceral example of why we need to stop requiring SMS-based TFA. Google suite even has a guide for admins to disable SMS and voice codes on their company domains to curb this issue.

Sure, for the most part, phone-based-TFA is very enticing to an online business as it’s a great way to cut down on fake accounts. That being said, Apple, is it really necessary to make it mandatory? It looks like for the time being, the only way to get around this restriction is to go through the hassle of moving to a new Apple ID. The One Plus 7 looks very appealing right now…


Robert Clarke

Currently engineering at Oracle. I like to document my travels on Instagram and share my thoughts on Twitter.