It's a little sad that there isn't a good solution for this yet though.
https://clerk.chat offers the ability to receive SMS on genuine non-VOIP numbers. They are ridiculously bad at pretty much everything – terrible communication, terrible customer support, terrible reliability, terrible UX, etc. – but they can actually do this where other VOIP-based providers like Twilio can’t. They may be your least worst option.
Another option that’s available is to set up an Android phone with https://ifttt.com and a genuine phone plan. Then get IFTTT to forward any SMS it receives to whatever service you need. There are open-source apps that do similar things as well – the sibling comment mentions a similar solution. It’s a pain to maintain though.
I’d love it if there were a better solution out there, but I haven’t found one yet. Basically the only thing I need is a genuine phone number that will forward SMS on to a web hook.
In addition to TOTP 2FA (our main service), we also started to offer 2FA via SMS via _physical SIM cards_ hosted in a data center in Germany (we are a German company) as every other solution we tried (Twilio + seemingly 50+ other, non-physical SIM card-based, options by now) was simply not working reliable.
We have been talking to Twilio et al and a lot of telcos, carriers, ISP, providers and seemingly everyone in between: there simply is no easy and reliable solution to this. :(
In our tests the best reliability we could reach for national and international senders&receivers on VOIP-based numbers was only every around 80%. We are still looking for other options, and specially non-VOIP options that are actually affordable, but so far we can only offer a German number (+49). This number however, is way, way more reliable than anything we have seen from others.
We currently support forwarding SMS to an email address, and webhooks for incoming notifications are in the works.
Can you get a cellular connection over a wire?
That is, instead of having 500 little radios connecting to one or two nearby towers, can you negotiate a direct connection to the tower and use the entire cellular stack except for the PHY ?
We are hugely frustrated with providers insisting on SMS as a 2nd factor for commercial use because we value employee PII and feel they should not need to seed data brokers just do log into enterprise platforms.
We are looking for a solution at scale for SMS 2FA that, according to the national number registry and KYC/anti-fraud checks, is a "real" mobile SMS number.
We've found hardware devices that take from 4 to 32 SIM cards and are heading in that direction which seems ... nuts.
But, we value employee privacy and these days when even your accounting firms' privacy policy say they're selling your contact info upstream, we want to give employees a way to log in without compromising themselves.
Also, to anyone here running a B2B SaaS that offers TOTP instead of SMS, thank you.
Our ops team had a physical phone for this, but it lived in a desk drawer somewhere and that didn't scale as the team grew and became distributed.
I think what Twilio or others could do is offer non-VOIP, genuine, etc, numbers on the condition that the company and use-case is vetted and the usage is audited. A little like getting an EV SSL certificate, you'd give valid points of contact, undergo basic vetting of the company, perhaps even limit the count of numbers you can contact and require human review for increasing that quota.
Maybe this would be too hard, arguably EV SSL failed because it wasn't strict enough. Or maybe I'm misunderstanding why VOIP/automated numbers are so easy to identify, I assumed it was because they were higher risk in this way and that this sort of auditing would circumvent the need for that, but maybe there's another reason.
It solves all of their terrible new a2p 10dlc issues and would be genuinely useful.
Actually, there are all kinds of ways to solve their 10dlc problems and make their platform useful (again) for something other than spam but … that would be a boring and useful service and not customer engagement at scale.
Why they are dying out? Because they are not that easy to source, maintain, scale or achieve super high reliability with them. Also, hard to offer a high availability option when the phone network only (well, in most cases) accepts one device per phone number.
Edito: Additionally, important to note is that most SIM cards can only be used for a prolonged time in that providers phone network. You e.g. can not buy US SIMS, ship them to the EU and host them there. T-Mobile US (and others) cut you off after (usually) 2 months of roaming.
https://kozubik.com/items/2famule/
(sorry about the bad SSL cert - I stopped caring after acme.sh blew up)
This is probably possible to do, but probably hard to get right, and still requires having a device reliably available to receive calls, and has limited scale (what happens if there are multiple calls at the same time?). This is why it would have been great to be able to buy this as a service.
I'm curious, why not just serve plain HTTP at that point? It makes little difference to the viewer.
Or buy a "real" SSL cert that I don't need to fiddle with every few months.
I think there are some browsers that won't even connect to HTTP/80 without a warning ?
