@briankrebs It's super annoying when sites do this, especially since my Google Voice number is much better protected from SIM swapping type attacks than any actual cellular number.
My suspicion was that they want your real cell phone number so they can buy tracking info from the cellular providers, but hopefully the recent FCC action has put a stop to that.
@briankrebs SMS routing is a bit of a headache and most send through some aggregator (e.g Vonage or Sinch). The aggregators will have multiple routes/termination points that say they can handle the message and will most often choose the cheapest one. Some of these routes get blocked due to being grey routes (illegal), some simply fail to deliver the messages without saying so and delivery notifications in SMS are not necessarily true when doing multiple hops. MFA providers might have multiple aggregators that they use and they’ll monitor successful SMS 2FA logins resulting from SMS sent to reach aggregators and drop aggregators that have an abnormally high failure rate (indicating non delivery of 2FA codes).
So this might be that Google voice numbers are blocked or simply some temporarily bad routing.
@briankrebs It is very common to not send MFA codes to numbers tagged as VOIP by the provider. I’m actually surprised it worked for as long as it did.
Common arguments are someone else (VOIP provider) has access to the codes, or it can be fanned out (allows for account sharing). I think it’s because if you’re already clinging to SMS as your MFA option, you also cling to the idea that SMS is secure and a good delivery mechanism for those codes.
there are an annoying number of folks that will say "your google voice number is not a cell number and we won't SMS to it". probably not a coincidence that they are frequently also the ones that don't offer TOTP auth apps as an option.
Also, I use Google Voice all the time, and I have no issues with receiving OTPs in that incoming SMS box, but I do need to (auto) forward them to email if I don't have the Google Voice app on my phone.
🤖
I had to use one of my "one-time" authentication passwords to turn off 2FA and then re-set it up again in Google when the "push" auth stopped working a wekk or so ago...
@jrsofty I had it set up that way. But was working w/ one of their top security engineers, who suggested I try their enhanced 2FA via SMS, which I did in order to report a story. But I guess I never changed it back. Doh.