SMS text messages are a weak, dangerous way of providing two-factor authentication codes, as we discussed years ago in “Facebook Shows Why SMS Isn’t Ideal for Two-Factor Authentication” (19 February 2018). Unfortunately, even though the problems with SMS for 2FA are well-known, many companies and government organizations continue to use it. The problem is that, for most people, most of the time, it works. But I’ve just resolved a problem where SMS 2FA codes didn’t work, and it’s worth sharing in case you or someone else you know is experiencing a similar problem.
In August 2021, we switched from AT&T to T-Mobile, and it has been a highly positive move for the most part. At some point, however, I discovered that I couldn’t log in to my Social Security account because it needed me to enter a code texted to my cell phone number. Despite several tries over a few days, the code never arrived on my iPhone. Since I have no near-term plans to retire and all other SMS text messages were arriving properly, it wasn’t worth my time to figure out why.
A while later, I needed to log into the Finger Lakes Runners Club QuickBooks Online account, which also had an SMS-mediated login verification. That failed in the same way—the text message never arrived—but I was able to work around the problem by falling back to email. Although QuickBooks Online now offers app-based 2FA, turning it on requires being able to receive a text message first.
The problems continued. I couldn’t turn on 2FA with a site called TaxCaddy that our accountant uses for transferring and tracking tax-related documents. The local credit union website we use for online banking wanted to send me a text message for some reason, but it never arrived—it was no great loss because I had to use Tonya’s account anyway (and she never experienced any problems receiving 2FA codes). The straw that broke the proverbial camel’s back was another local bank’s website. It would let me log in and do most things but required an SMS 2FA code for making admin-level changes to users, which I needed so I could increase the amount my account could transfer between accounts.
So I called T-Mobile and explained my situation to the customer service rep. She understood the problem instantly and said she would remove the necessary block on my account. It took seconds, and as soon as she did it, I was able to verify that several of the previously blocked accounts could now send me text messages.
Why had this happened? The rep couldn’t say for sure, but it was likely associated with T-Mobile’s efforts to block scams. Most of those are voice-related, but apparently, they can also result in text messages being blocked. In other words, it’s an opaque system, and there’s no way of knowing exactly what happened. The commonality among the five websites I’d recorded as having troubles was that they all provided financial services. It seems odd that T-Mobile would block them, particularly government outfits like Social Security, but on the other hand, scammers might try to spoof text messages from such sites.
All’s well that ends well, but the moral of the story is that if you aren’t receiving SMS text messages, particularly those that carry 2FA codes, call your cellular carrier and ask if they’re being blocked.