SMS 2FA is not just insecure, it's also hostile to mountain people

i have a friend — she's an old lady born and raised here in the western north carolina mountains. she hates computers, yes, but she's been willing to learn a lot and quickly after joining a big signal group chat that our shared local community uses to keep in touch.

aside from memeing with the best of them in the group chat, she also maintains a large fish pond outside the house she built herself. this despite being in her 70s. she's an inspiration.

she has a landline. it works great, and the landline phone hardware works great with her hearing aids. she's had it for years. spectrum has a monoply in our area so the landline and her cable internet service is with spectrum.

she got a cell phone a few years ago. she got a smartphone basically because she had to to do basic life tasks, including joining the big signal group chat. at first she just used it on wifi, but quickly she decided she wanted to be able to use the phone everywhere so she got a cell phone plan from spectrum because they were already her ISP. spectrum mobile uses the verizon network — famed for its good rural coverage.

this is where things started to go haywire.

all her accounts on websites, things like email and bank accounts and health insurance and healthcare providers, they started trying to send her SMS messages in order to let her get into her accounts.

the SMS codes don't work, because they don't come. she doesn't have cell service at her house. it's up in the mountains, sure, but it's not isolated. she lives 20 minutes from downtown asheville and she has lots of neighbors on her road.

she turned on wifi calling on her phone. now she could receive SMS messages from friends and family, but 2FA codes still weren't coming through. i did some digging, and it turns out messages from 5 digit shortcodes often aren't supported over wifi calling. sometimes they are, but in her case they're clearly not. she has a current, stock iphone. she's using the spectrum-provided internet hardware. she knows how to use her phone.

i did more digging — it turns out some ISP-provided landline services support receiving SMS messages to the landline, and then a computer voice reads them out to you. “we don't offer that service” the spectrum chat told us.

some of these accounts can likely be converted to using TOTP 2FA rather than SMS 2FA. this is good, but you have to get in to begin with in order to turn that on. so what my friend has to do is:

  1. make a list, over time, of the websites that she's locked out of because of SMS 2FA
  2. not be able to use those sites at home the whole time she's making the list
  3. schedule a meetup with a friend like me
  4. drive to town to meet the friend
  5. sit down and systematically go through the list of websites and convert them to TOTP
  6. inevitably discover that some of them don't support TOTP
  7. try and contact those companies and explain that they need to turn off SMS 2FA on her account so that she can use their healthcare/banking/email/whatever service from her home
  8. discover that it's not possible to talk to a company anymore in 2025

other options available to her include

  1. port her cellphone number to a VOIP provider that does support receiving SMS from shortcodes over wifi
  2. spend hundreds of dollars setting up a cell tower signal booster outside her house
  3. move

these are all ridiculous options that shouldn't be necessary in order to log in to a website.

if you look at the spectrum mobile coverage map where my friend lives, it shows she has perfect coverage at her house. and all her neighbors do too. all the way up the holler in fact!

this is simply false. she usually doesn't even have service 100 meters down the road.

another friend of mine who also lives out in the county, a millenial, once said that “SMS 2FA is the bane of [her] existence.” the valley she's in isn't even that deep.

and TOTP, the obvious alternative solution, is still pretty sorry. you have to download an app to do it, it's not just a capability that a phone has by default. and then when trying to find an app to use for it, you're presented with a multitude of high-stakes choices, and often pretty technical explanations if you start internet searching about which app to use.

i understand why SMS 2FA is so ubiquitous. when it works, the UX is good, nontechnical users intuitively understand it, and it's usually secure enough.

but there are 1.1 million people in these western north carolina mountains, 25 million in the rest of the appalachians, and many millions more in the mountain west and pacific ranges.

we have internet, but we have F-tier cell service — what are we supposed to do?