Security Analysis of SMS-enabled Websites

Annotation Explanation
initial X 2FA signup mandatory X 2FA required to enable 2FA, CAN be disabled in favor of other options after
X 2FA used as mandatory backup X 2FA required as a backup to enable 2FA, CANNOT be disabled in favor of other options
X 2FA mandatory X 2FA required to enable 2FA, CANNOT be disabled in favor of other options
automatic X backup signup X 2FA discreetly enabled without user input or notification
Proprietary Authenticator app that is exclusive to the website; either uses tap-to-login or TOTP
U2F U2F security key
PKQ Personal knowledge (security) questions
Secure - uses stronger authentication schemes, such as authenticator apps; schemes cannot be recovered or reset by SMS.
Insecure - can only be compromised if the attacker knows the account password; these configurations offer SMS-based authentication but do not allow for SMS-based password recovery
Doubly insecure - a SIM swap alone is enough for account compromise; the configuration uses both SMS-based MFA and SMS-based password recovery
Insecure, but not pertinent to our analysis
Likely insecure based on account recovery page; unable to verify due to noted restrictions

This dataset represents our original findings. Fixes are indicated in the Responses column.

Name Recommended Configuration Alternate Configuration 1 Alternate Configuration 2 Alternate Configuration 3 Account/Password Recovery Remarks Responses Screenshots
(ISC)2 Authenticator Authenticator; SMS SMS; PKQ Authenticator; PKQ PR email backup signup available
Acquia Authenticator; SMS SMS Authenticator PR email backup signup recommended
Adafruit Authenticator; SMS SMS Authenticator PR email SMS backup signup recommended
Adobe ID - reported fixed Email Email; SMS; Authenticator Email; SMS PR SMS; PR email email 2FA mandatory reported as fixed; this row represents our original finding
Airtable SMS; Authenticator SMS PR email SMS 2FA mandatory
Allegro SMS Authenticator; SMS PR email SMS 2FA used as mandatory backup
Ally Bank PR SMS Restriction - bank account required for account creation
Amazon SMS SMS; Authenticator Authenticator PR SMS; PR email backup signup available closed as won't fix
Amazon Web Services Authenticator U2F PR email SMS 2FA still used but no longer enrollable
Ancestry SMS PR email
Aol Mail SMS; Email PR SMS; PR email automatic email backup signup using email on file; 1-step login with OTP available no response
Apple Proprietary; SMS PR linked device SMS backup signup mandatory; 2FA cannot be disabled once set
Atlassian Authenticator SMS PR email
Autodesk Authenticator; Email SMS; Email PR email automatic email backup signup using email on file
Backblaze SMS Authenticator Authenticator; SMS PR email; PR SMS only if SMS 2FA is not enabled
Betterment SMS SMS; Authenticator PR email SMS 2FA mandatory; backup signup available
BiggerPockets SMS SMS; Authenticator PR email SMS 2FA mandatory; backup signup available
Bitflyer Email Authenticator SMS PR email
Bithumb SMS Authenticator PR email initial SMS 2FA signup mandatory; 1-step login with OTP available if SMS 2FA is enabled
Bitlish SMS Authenticator PR email
Bitly SMS PR email
bitwarden Authenticator Authenticator; Email SMS U2F PR email SMS 2FA available with premium membership
Blizzard - fixed without reporting Proprietary; Email; SMS PR SMS; PR email automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; proprietary app can be disabled with SMS template acknowledgement; later fixed the issue without notifying us; this row represents our original finding
Blockchain Authenticator U2F SMS PR seed
Booking.com SMS; Email PR email automatic email backup signup using email on file
Box SMS PR email
BTC BOX Authenticator Authenticator; SMS SMS PR email SMS 2FA improperly configured, does not manifest
Buddy SMS Authenticator PR email
Buffer SMS Authenticator PR email
Buycraft Email Authenticator; SMS PR email initial email 2FA signup mandatory; SMS 2FA used as mandatory backup for authenticator 2FA
CEX.IO Authenticator SMS PR email
Circle SMS Authenticator PR email initial SMS 2FA signup mandatory
Cisco Meraki SMS Authenticator; SMS PR email SMS 2FA used as mandatory backup
Cloze SMS Authenticator PR email
CM Telecom SMS Proprietary; SMS PR email automatic SMS backup signup using phone number on file
Coinbase U2F Authenticator SMS PR email already explicitly recommends against SMS 2FA, explanation provided but not directly linked
CoinDeal SMS; Authenticator PR email SMS 2FA used as mandatory backup
Coinjar Authenticator Authenticator; SMS SMS PR email Recommends against SMS but labeles authenticator as 'advanced'
Coinspot Authenticator SMS PR email Already explicitly recommends against SMS 2FA
Comcast PR SMS; PR email Restriction - utility service required for account creation
Con Edison PR SMS; PR email Restriction - utility service required for account creation
Cosmolex SMS PR email
Delighted SMS; Email PR email automatic email backup signup using email on file
DigitalOcean Authenticator; backup code Authenticator; SMS SMS; backup code SMS; Authenticator PR email backup signup available
Discord Authenticator; SMS Authenticator PR email authenticator 2FA mandatory; SMS backup signup recommended
Docusign Authenticator; SMS; Email SMS; Email Email PR email email 2FA used as mandatory backup; required 2 combined phone number/email backup minimum
Dropbox SMS Authenticator; SMS Authenticator Authenticator; U2F PR email SMS backup signup recommended
Dynadot Authenticator SMS Authenticator; SMS PR email backup signup available
easyDNS Authenticator SMS Email PR email
eBay - reported fixed Proprietary; Email SMS; Email PR SMS automatic email backup signup using email on file; 1-step login with OTP available if 2FA is not enabled reported as fixed; this row represents our original finding
Electronic Arts (Origin) Authenticator; Email SMS Email PR email backup signup available; backups cannot be disabled once set
Etsy Authenticator SMS Phone PR email
Evernote Authenticator SMS PR email SMS 2FA available with Evernote Premium
Facebook Authenticator SMS U2F PR SMS only if 2FA is not enabled; PR email
FastMail Authenticator U2F PR SMS only if 2FA is not enabled; PR email only if 2FA is not enabled Outdated - no SMS 2FA
Figma Authenticator Authenticator; SMS SMS PR email backup signup available
Finnair SMS Authenticator; SMS PR SMS; PR email automatic SMS backup signup using phone number on file no response
Fiverr Proprietary; Email; SMS PR email
Flywheel Authenticator SMS PR email
FollowMyHealth Authenticator; Email; SMS PR email automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; backups cannot be disabled once set
Formstack Authenticator; SMS SMS Authenticator PR email SMS backup signup recommended
FreeTaxUSA SMS; Email Authenticator; SMS; Email Authenticator; Email Authenticator; SMS PR SSN initial SMS 2FA signup mandatory; initial email 2FA signup mandatory
Gaijin Entertainment Authenticator; SMS Authenticator; Email; SMS PR email; PR SMS SMS 2FA used as mandatory backup; using SMS disables 2FA altogether did not understand
Gemini Authy SMS U2F PR email initial SMS 2FA signup mandatory, permanantly switches to Authy if installed
GitHub Authenticator Authenticator; SMS SMS U2F PR email SMS backup signup available
GoCardless SMS PR email this row represents our original finding
GoDaddy SMS; Authenticator; U2F SMS; U2F Authenticator SMS PR email backup signup recommended
Google SMS; Authenticator; U2F Authenticator Proprietary; U2F SMS; U2F; Proprietary PR email; PR SMS only if SMS 2FA is not enabled; PR manual review
Grape SMS Authenticator PR email
GroupMe SMS PR email
Guild Wars 2 Email SMS Authenticator PR email initial email 2FA signup mandatory
Gusto SMS Authenticator PR email
HashiCorp Terraform Enterprise Authenticator; SMS Authenticator SMS PR email SMS backup signup recommended
HashiCorp Vagrant Cloud Authenticator; SMS Authenticator SMS PR email SMS backup signup recommended
HelloSign Authenticator SMS PR email SMS 2FA available with upgrade
Hover.com Authenticator SMS PR email
HubSpot Authenticator; SMS Authenticator SMS PR email backup signup recommended
Hushmail Authenticator; SMS; Email SMS; Authenticator Email Authenticator No PR No PR; all schemes selected by default
ID.me SMS Authenticator; SMS Authenticator; Proprietary Proprietary; U2F PR email backup signup available
IFTTT Authenticator SMS PR email
Infomaniak Proprietary SMS; Email; U2F Proprietary; U2F PR email backup signup available
Instagram SMS Authenticator SMS; Authenticator PR email backup signup available
Intuit TurboTax SMS SMS; Authenticator PR email; PR SMS only if 2FA is not enabled; PR PII SMS 2FA used as mandatory backup; 1-step login with OTP available if 2FA is not enabled
Jottacloud Authenticator SMS PR email
Justworks Authenticator; SMS Authenticator; Email SMS; Email Email PR email
Keeper SMS Authenticator PR email other 2FA options available with enterprise plan
Kickstarter Authenticator; SMS SMS PR email SMS 2FA mandatory; backup signup recommended
LinkedIn Authenticator SMS PR SMS only if 2FA is not enabled; PR email
LogMeIn Authenticator; SMS Authenticator; Email SMS; Email PR email backup signup mandatory
Mail.Ru SMS SMS; Authenticator Authenticator PR email; PR SMS only if 2FA is not enabled initial SMS 2FA signup mandatory
MailChimp SMS Authenticator PR SMS; PR email no response
MathWorks Authenticator SMS Email SMS; Authenticator PR email backup signup available
Mercado Libre Proprietary SMS Authy Proprietary; SMS PR email backup signup available; Authy 2FA disables all backup schemes
Microsoft - fixed without reporting Authenticator; SMS; Email PR SMS; PR email automatic SMS backup signup using phone number on file; automatic email backup signup using email on file did not understand; later fixed the issue without notifying us; this row represents our original finding
Minds SMS PR email
Mixpanel SMS; Authy PR email automatic Authy backup signup using phone number on file
MongoDB Cloud Manager Authenticator Authenticator; SMS SMS PR email SMS backup signup available
Namecheap Authenticator U2F SMS Proprietary PR email initial SMS 2FA signup mandatory for proprietary 2FA signup
Newegg SMS; Email SMS; Authenticator Email; Authenticator PR email backup signup mandatory
Nexmo SMS PR email
Nimbox Authenticator SMS Email PR email
Norton Proprietary; SMS SMS; U2F Proprietary; U2F PR email backup signup mandatory
Okta Proprietary SMS; Proprietary PKQ; Proprietary PR email proprietary 2FA mandatory; backup signup available
Online.net - reported fixed Authenticator SMS PR SMS; PR email SMS 2FA available for French residents only reported as fixed; this row represents our original finding
Patreon SMS Authenticator PR email
Paychex PR SMS; PR email Restriction - enterprise signup only
PayPal SMS; Authenticator Authenticator SMS PR SMS; PR email backup signup recommended did not understand
Paytm PR SMS Restriction - non-U.S. phone number required for account creation
PCloud SMS Authenticator PR email
Personal Capital PR SMS; PR email Restriction - cannot sign up for 2FA without adding financial accounts
Pinterest SMS; Authy PR email automatic Authy backup signup using phone number on file
Plastiq SMS PR email
Playstation Network SMS PR email
Questrade SMS; Email PR email SMS 2FA mandatory; email 2FA used as mandatory backup
RBCommons Authenticator SMS Authenticator; SMS PR email SMS backup signup available
Recurly Authy SMS PR email initial SMS 2FA signup mandatory, permanantly switches to Authy if installed
Repairshopr Authenticator; SMS Authenticator PR email SMS backup signup recommended
Ring SMS PR email
Robinhood SMS Authenticator PR email
RoboForm Email SMS Authenticator PR email
Salesforce Authenticator; SMS Proprietary; SMS U2F; SMS PR email SMS 2FA used as mandatory backup
Samsung SMS PR email
SecureSafe SMS PR seed 2FA availabe with subscription upgrade
Sentry Authenticator; SMS Authenticator SMS U2F PR email SMS backup signup recommended
Shopify Authenticator Authenticator; SMS Authenticator; U2F SMS PR email backup signup available
Signal No PR No PR; E2EE, phone number only used as identifier, attacker can hijack future communications; Outdated - No 2FA
Slack SMS Authenticator PR email
Snapchat - reported fixed SMS Authenticator SMS; Authenticator PR SMS; PR email backup signup available reported as fixed; this row represents our original finding
Sonic PR phone call Restriction - utility service required for account creation
Square SMS SMS; Authenticator Authenticator PR email backup signup available
StatusCake SMS Authenticator PR email
Stripe SMS Authenticator SMS; Authenticator Authenticator; U2F PR email
T-Mobile PR phone call Restriction - utility service required for account creation
Taxact - fixed without reporting Email; SMS Authenticator PR SMS; PR email SMS 2FA used as mandatory backup for email 2FA did not understand; later fixed the issue without notifying us; this row represents our original finding
Telegram Password; Email; Proprietary Password; Proprietary PR email only if email 2FA is set automatic tap-to-login 2FA sent to other signed-in devices
Ting Authenticator SMS PR email
Tokopedia PR SMS; PR email Restriction - non-U.S. phone number required for 2FA signup
TransferWise SMS Proprietary; SMS PR email initial SMS 2FA signup mandatory; automatic SMS backup signup using phone number on file; 2FA cannot be disabled once set
TransIP Authenticator; SMS PR email authenticator 2FA mandatory; SMS 2FA used as mandatory backup
Tumblr SMS Authenticator SMS; Authenticator PR email backup signup available
Twilio SMS; Authy PR email automatic Authy backup signup using phone number on file
Twitch SMS; Authy PR email; PR SMS automatic Authy backup signup using phone number on file; PR SMS is in beta
Twitter SMS SMS; Authenticator Authenticator SMS; U2F PR SMS only if 2FA is not enabled; PR email backup signup available; Optional feature called PR Protect - requires email address to be correctly entered, does not help against PR SMS
Uber SMS Authenticator PR email 1-step login with OTP available if 2FA is not enabled
Ukraine Authenticator; SMS PR email authenticator 2FA mandatory; SMS 2FA used as mandatory backup
Unity SMS SMS; Authenticator Authenticator PR email backup signup available
Venmo SMS PR SMS; PR email no response
VK SMS SMS; Authenticator PR SMS only if 2FA is not enabled; PR email backup signup available; SMS 2FA mandatory
Wealthsimple Authenticator SMS PR email
WhatsApp PIN; Email PIN No PR No PR; 1-step login enabled; phone number only used as identifier, attacker can hijack future communications
WordPress.com Authenticator; SMS SMS PR SMS; PR email SMS 2FA used as mandatory backup no response
XING SMS Authenticator PR SMS; PR email SMS 2FA requires non-US number
Yahoo Mail Proprietary; Email; SMS Email; SMS PR SMS; PR email automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; 1-step login (via notification, OTP via SMS, OTP via email) enabled if proprietary app 2FA is selected did not understand
Yandex.Money Proprietary PR SMS only if 2FA is not enabled; PR email only if 2FA is not enabled; PR SMS + old password 1-step login (via in-app QR scanner, via in-app OTP) enabled if 2FA is enabled
Zendesk Authenticator SMS PR email
Zoho Mail Proprietary Proprietary; SMS Authenticator; U2F SMS PR SMS; PR email 1-step login available via PR SMS number closed as non-issue