What are the issues with SMS multi-factor authentication in Antarctica?



Multi-factor authentication (MFA) using SMS with mobile phone numbers is inevitable when living online in modern society. While some companies support non-SMS MFA via mobile number, some banks are sticking to SMS MFA. However, the current situation is that there is no radio tower for any carrier at McMurdo Station , which is an Antarctic base in the United States, and MFA using SMS cannot be performed. So, Mr. brr , who is engaged in IT projects at McMurdo Base, explains this problem.

SMS Multifactor Authentication in Antarctica
https://brr.fyi/posts/sms-mfa

Although the official guidance on issues with working in Antarctica states to 'deactivate MFA by SMS before operating', there are services that cannot easily deactivate MFA and require a phone number. There are always several.



Therefore, Mr. brr explains how to execute MFA using SMS in Antarctica as follows.

◆1: Failure example
Mr. brr first tried MFA with SMS by using Verizon Messages Plus to synchronize text messages to a computer going online in Antarctica. However, while it was possible to send and receive SMS between individuals with Verizon Messages Plus, according to Verizon's policy, MFA by SMS did not work.

Next, Mr. brr transferred the phone number to Google Voice by using Google Voice and tried to send and receive text messages on the Google Voice website. The attempts were 75% successful and 25% unsuccessful. The reason is that banks use APIs provided by providers to reject MFA by SMS if the phone number is not a real mobile phone number, but a landline or a virtualized VoIP like Google Voice. It is explained that there is a possibility that

◆2: Compromise
brr offers three compromises. The first is to use Wi-Fi calling. This method allows you to connect your mobile phone through an internet connection to send and receive text messages. However, Wi-Fi calling is premised on stable broadband, and it is difficult at McMurdo Base, where communication is unstable.

As a second measure, we present MFA using voice. This is a method of redirecting voice calls and doing MFA instead of doing MFA over SMS. Many banks, Apple ID, and Google also support voice MFA, which is much easier than SMS MFA, brr said. As an example, Mr. brr introduces a method such as temporarily transferring his mobile phone number to a friend in Japan, having him answer a voice call, and having the code sent by email or chat.

The third option is to “give up”. Since the work in Antarctica will be over in a few months, it is recommended to avoid situations where MFA with SMS is required in Antarctica.



◆ 3: Actual solution
There are two solutions that Mr. brr says are practical, the first is to cheat the bank. The problem with MFA using Google Voice is that the bank can determine that it is using Google Voice. That's why we're showing you how to do MFA over SMS using a VoIP provider other than Google Voice that your bank thinks is your real mobile number. But a provider that worked one day might not work the next, he said, making it a “cat and mouse game.”

The second is to leave a physical cell phone outside Antarctica and make it accessible there with an app that forwards text messages to email. This is the solution brr works with, and despite some security drawbacks, it's the only fool-proof way to actually get text messages in Antarctica.



In conclusion, brr concludes, ``I hope this article provides a useful overview of the current state of MFA using SMS when you don't have access to a physical mobile phone.''

Related Posts:

in Note, Posted by log1r_ut