2FA while overseas (Google Voice doesn't support short-SMS codes?)

[LeftCoastIV]

We are preparing for a move to Europe, from the U.S., and I am trying to sort out how I will keep accessing my online accounts using two-factor authentication (2FA) after we move.

I was planning to use Google Voice with a U.S. number, but Google Voice apparently no longer supports short-SMS, or more accurately banks won't allow short-SMS to be sent to non-carrier numbers, from what I've read.

An authenticator app like Microsoft Authenticator or Google Authenticator would work, but very few online services appear to support TOTP as an authentication option.

My current thinking is to use 1Password as a password manager for all my sites, and then set-up 2FA for 1Password itself (using Microsoft Authenticator). I don't love the idea of all of my passwords being stored in one place though, even with 2FA.

Any ideas?

[j0nnyg1984]

I don’t know what “short-SMS” is, but I get 2FA from many institutions on my GV number, including banks and my doctor’s portal website. I think the only place that my GV number WON’T work for a text code is Wells Fargo, so I just have them call me.

Is email an option? I know BoA offers to email my code.

[LeftCoastIV]

I don’t know what “short-SMS” is, but I get 2FA from many institutions on my GV number, including banks and my doctor’s portal website. I think the only place that my GV number WON’T work for a text code is Wells Fargo, so I just have them call me.

Is email an option? I know BoA offers to email my code.

Short-SMS are the texts you receive from your bank websites or similar with numbers like 20736 (rather than a fully-formed ten digit phone number). From reading online, I had understood that sending these messages to Google Voice was no longer supported. It sounds like this may be wrong based on your experience.

[j0nnyg1984]

Short-SMS are the texts you receive from your bank websites or similar with numbers like 20736 (rather than a fully-formed ten digit phone number). From reading online, I had understood that sending these messages to Google Voice was no longer supported. It sounds like this may be wrong based on your experience.

Gotcha. Yes, I have a stack of texts from these short numbers in the last month - Merrill edge, my doctor portal, amazon, Marcus bank, HSBC, the global entry .gov website, etc.

[TravelGeek]

We are preparing for a move to Europe, from the U.S., and I am trying to sort out how I will keep accessing my online accounts using two-factor authentication (2FA) after we move.

I was planning to use Google Voice with a U.S. number, but Google Voice apparently no longer supports short-SMS, or more accurately banks won't allow short-SMS to be sent to non-carrier numbers, from what I've read.

An authenticator app like Microsoft Authenticator or Google Authenticator would work, but very few online services appear to support TOTP as an authentication option.

My current thinking is to use 1Password as a password manager for all my sites, and then set-up 2FA for 1Password itself (using Microsoft Authenticator). I don't love the idea of all of my passwords being stored in one place though, even with 2FA.

Any ideas?

You should use a password manager with a strong pass phrase in any case, and all passwords stored in the password manager should be strong passwords. I think that is orthogonal to the question of how to best deal with 2FA for the individual sites.

[trigger08]

I am currently overseas and use GV as my USA phone number. GV certainly supports short codes, the issue is some banks/institutions will not, or cannot, send them to GV for some reason. You might be able to search around and see if other GV users have reported issues with your particular bank(s). Off the top of my head I know I have recently received codes from Vanguard, Fidelity, and Capital One.

I try to use 1password and its ability to be a 2FA app (with Google Authenticator) whenever sites support it, instead of relying on phone/email as the second factor.

[AlohaJoe]

the issue is some banks/institutions will not, or cannot, send them to GV for some reason

It's not just Google Voice they won't send codes to. I've heard reports that they won't send them to any (known) VOIP/software type phone number. i.e. they really want it to be a physical phone with a physical SIM.

The biggest risk you run is that even if Google Voice works today, your bank might change their policy in one, or three, or five years and then you'll be locked out of your account until your next trip back to the US.

That's what happened to me.

It is better just to find a bank that offers non-SMS solutions. Schwab does, so I use them now.

[JoMoney]

Weird. I haven't had problems using GV to receive 2FA messages from banks/financial firms.

There was one time I called Capital One bank on the phone, and despite having successfully received 2FA messages from there website, the call-center operator on the phone couldn't send me a message because the GV number I was providing was in their system as being a land-line (not a mobile number). I don't understand why even that was a problem, because some land-line numbers are ported to cell-phones, and some land-line numbers are even capable of receiving SMS messages... but any rate, that was the only issue I've ever had with it, and have been able to continue using GV for 2FA in every other circumstance with multiple financial institutions (including on the website with Capital One).

[newguy123]

The 2FA through text are kind of outdated now, most use the authenticator apps like google auth. The problem with the SMS codes is the whole phone port out scams that happened. Try to see if whatever app/site you are using supports the auth type through the authenticator app

[LeftCoastIV]

The 2FA through text are kind of outdated now, most use the authenticator apps like google auth. The problem with the SMS codes is the whole phone port out scams that happened. Try to see if whatever app/site you are using supports the auth type through the authenticator app

Unfortunately, support for authenticator apps is really low right now with financial websites. I can't think of a single one that we use that supports it right now (Vanguard, Fidelity, Ally, Wells Fargo, B of A, Personal Capital, etc.)

[michaeljc70]

I use GV and the only company I recall having an issue with is Chase. For them I have them send the code via email. I wish Chase would fix that (I'm sure they would say it is working as expected).

[Lee_WSP]

The 2FA through text are kind of outdated now, most use the authenticator apps like google auth. The problem with the SMS codes is the whole phone port out scams that happened. Try to see if whatever app/site you are using supports the auth type through the authenticator app

Unfortunately, support for authenticator apps is really low right now with financial websites. I can't think of a single one that we use that supports it right now (Vanguard, Fidelity, Ally, Wells Fargo, B of A, Personal Capital, etc.)

Fidelity uses Symantec and vanguard can use a yubikey iirc.

[nalor511]

A ton of companies can successfully send 2FA to GV. A couple can't. The % is heavily weighted toward those who can, if I were you, I might just try and see.

Someone above mentioned Chase cannot, and that's been my experience. There's been one other, that does not come immediately to mind though.

[j0nnyg1984]

The biggest risk you run is that even if Google Voice works today, your bank might change their policy in one, or three, or five years and then you'll be locked out of your account until your next trip back to the US.

That's what happened to me.

Wow. Buy a prepaid SIM from a US GSM carrier and use it internationally for 2FA

[LeftCoastIV]

The biggest risk you run is that even if Google Voice works today, your bank might change their policy in one, or three, or five years and then you'll be locked out of your account until your next trip back to the US.

That's what happened to me.

Wow. Buy a prepaid SIM from a US GSM carrier and use it internationally for 2FA

That is an option, but you would need to swap in your US SIM card every time you want to log-in, and pay an int'l SMS fee for each log-in. That's too high on the hassle-meter, IMO, for regular use. I suppose a dual-SIM phone could help, but we all have iPhones.

[LeftCoastIV]

A ton of companies can successfully send 2FA to GV. A couple can't. The % is heavily weighted toward those who can, if I were you, I might just try and see.

Someone above mentioned Chase cannot, and that's been my experience. There's been one other, that does not come immediately to mind though.

I'm planning to be in Europe in a couple of weeks, so should be a good opportunity to "test" GV over there. I'll need to make sure I have a second 2FA option for every account, I think, in case GV stops working in the future.

[AlohaJoe]

That is an option, but you would need to swap in your US SIM card every time you want to log-in, and pay an int'l SMS fee for each log-in. That's too high on the hassle-meter, IMO, for regular use. I suppose a dual-SIM phone could help, but we all have iPhones.

Instead of swapping SIMs, it is easier just to buy a second phone. I can buy a Nokia 105 for $15, which is all you need to receive 2FA SMS messages. The easiest solution, though, is to switch to a bank that doesn't send SMS and instead relies on a software token. But a lot depends on how long you'll be overseas. There are big differences between going overseas for 3 months, 1 year, and "forever".

[hood]

Anyone else notice GV not working today? Wonder if just a blip or they changed something. Site says sent but GV message never appears.

[word]

Using a password manager is now considered best practice. We use 1Password.

While storing all of your passwords in one place can make you uneasy, you're able to protect your password manager account with a strong password and 2FA (including a hardware key like Yubikey). It also means you can have extremely secure, very random passwords for all of your other accounts making them less prone to issues.

I would recommend moving any accounts you can to TOTP, SMS isn't considered secure anyway, though I think it is way better than nothing. I don't know about other password managers, but 1Password does allow your TOTP tokens to be stored there as well.

For services that only support SMS for 2FA you might consider a proper VOIP number or jettisoning the service or just going without 2FA depending on the service obviously. I would never do that with email, but email providers tend to support TOTP so this isn't an issue. A service like the bogleheads forum doesn't really warrant 2FA. Those are two extreme examples, but you get the idea.

I would be VERY reticent to put any faith in google voice at this point. The product has been severely neglected by Google and just FEELS like something they're going to kill off one day. Then you'll be left to scramble because you need to update your phone number on all of these sites so that you can still access your accounts.

Good luck.

[beyou]

Look at Anveo which seems to have web based incoming sms for $0.01/txt. Can test with your websites without any monthly fees. There are upgrades with monthly but a basic service with only the penny/text fee. Don’t know that this is any better than GV in terms of widespread acceptance.

https://www.anveo.com/consumer/service.asp

A burner phone with US number and prepaid to keep cost down seems like a good alternative if Anveo or GV does not work for your particular providers. Have only found a
handful that would not allow GV.

[freedom66]

Although Google Voice is currently able to receive 2FA codes from Vanguard (either text or voice works), there is also another option for receiving 2FA codes when out of the U.S.:

Vanguard recently introduced the ability to add a secondary phone number to send a 2FA code, and the number can be a foreign number. A little problem is that you are usually already out of the country before you buy a foreign-carrier SIM card. To get around this:

- you can call Vanguard to disable the 2FA requirement before you travel, then you would be able to log on and put in your foreign number as soon as you get it and enable the 2FA requirement.

- if Vanguard recognizes your device then you will not need a 2FA code....but you may or may not want this when you are out of the country.

[nalor511]

Anyone else notice GV not working today? Wonder if just a blip or they changed something. Site says sent but GV message never appears.

Yes it's been a little iffy for me Tues/wed for 2fa

I do not know why, or if I've missed other messages. It's not delayed, they just never come in. I have another line as backup, which worked, so I assume it's GV with the issue

[skis4hire]

very few online services appear to support TOTP as an authentication option

Which ones are you concerned about?
I only care to use 2FA for financial institutions and primary identity/email, I haven't run into a financial institution that doesn't offer non-SMS 2FA including my credit union.
Anything else you're probably fine with a password manager.

Also, for TOTP, look into something like yubico keys for a physical backup.