32

It's been about 10 years since I've traveled out of the US. In that time, it's become more and more common for various services (including basic things like email) to (randomly or systematically) force you to verify yourself via a text message.

When I'm in the US, this is just an annoyance, but I'm wondering if it could be more of a problem when traveling abroad. I have the TMobile "Walmart plan" and have seen mixed information on whether it offers international roaming: some sources say no, some say there is international texting but not voice/data, and some say there is international texting but only when on wifi.

Suppose I'm going to be taking a trip abroad. I can get some kind of international SIM card, but that won't allow me to receive verification texts sent to my US phone number. I want to avoid uncomfortable situations like being locked out of my email or other important logins because I'm unable to verify via text message. Is there any reliable solution to ensure I can receive text messages to my US number no matter where in the world I am (assuming I can get cell phone signal)? Are there solutions that work for some countries but not others?

Edit: I appreciate the remarks about TOTP, and I do have that for a couple things (like my bank app). However, that requires a separate configuration change for every app or service. I'm more interested in a "drop in" solution that doesn't require me to separately configure every service I want to be able to access from abroad.

BrenBarn
  • 719
  • 1
  • 7
  • 14
  • 13
    Enable app TOTP (Google Authenticator) for the most amount of accounts possible (it's more secure and more convenient) – Nicolas Formichella Jun 09 '23 at 04:33
  • 1
    Whether roaming works properly also depends on your phone. That could account for the conflicting reports: Even if your operator does support roaming, some people might encounter issues because their phone doesn't support the right frequency bands for their destination. – Relaxed Jun 09 '23 at 05:48
  • 1
    @NicolasFormichella most secure, maybe. Most convenient, definitely not. – phoog Jun 09 '23 at 06:15
  • 1
    There's simply no way to ensure that you can receive text messages. As far as I can tell this still depends on bilateral agreements between companies. – phoog Jun 09 '23 at 06:17
  • 4
    @phoog Disagree... having a fully offline capable vault with all your accounts is more convenient than waiting for email/SMS/Phone Call – Nicolas Formichella Jun 09 '23 at 07:00
  • @NicolasFormichella having secure passwords and not having to bother with multi-factor authentication is more convenient than having to have your phone or whatever with you at all times in order to, say, deal with your bank when a charge is refused. – phoog Jun 09 '23 at 07:22
  • 2
    @phoog Sure, that would be the most convenient, but that's beside the point. I am talking about 2FA methods – Nicolas Formichella Jun 09 '23 at 09:16
  • Can you change your phone number with the service to receive messages on your new international number instead? – BoppreH Jun 09 '23 at 15:27
  • @NicolasFormichella Still doesn't mean you can ensure that you receive SMS everywhere though ;) Also note that not all providers / services give you much choice. For example, some banks use their own app with SMS as a backup and do not offer TOTP or a hardware key as an option. – Relaxed Jun 09 '23 at 16:45
  • your phone doesn't work abroad? is that a thing? – njzk2 Jun 09 '23 at 22:40
  • @njzk2 I see from your Github account that you're in Germany. Yes. US phones may not work overseas without a new SIM card. Different standards, or something like that. – shoover Jun 09 '23 at 22:48
  • @njzk2: The phone itself works, but the service provider (for that plan) doesn't offer international roaming, so you can't get service. You can still use data over wifi, though. – BrenBarn Jun 10 '23 at 02:30
  • TMobile does have international roaming - you may have to pay extra for it. I do this every year or so when my wife travels in the UK. You call them up and they add international everything for a period of time. Used to be you'd then have to call up when you returned to cancel the ongoing charges but now, if you're visiting for a short time, they've got something they call a "Pass" that gives you 10days and then turns itself off. Doesn't change your plan, if you have one, to add/remove this. Just did this in March. Standard US phone (Google Pixel 4). – davidbak Jun 10 '23 at 02:56
  • 2
    @shoover Different frequencies, even. But modern phones are usually capable of working in multiple regions since this is easier for the company selling the phones. – Mast Jun 10 '23 at 06:04
  • As a side note, you don't want to be using SMS as your second factor regardless of whether or not you're travelling. It's fundamentally flawed and significantly weakens your security, being worse than a password alone in some implementations. Change everything you can to TOTP and you'll kill two birds with one stone – ScottishTapWater Jun 12 '23 at 04:49

7 Answers7

27

You are right to be worried: text message (SMS) delivery is best effort only. When traveling internationally, they are all too frequently delivered late or never, and there is really no way around this because the protocol itself does not guarantee delivery.

The best option is to switch your second factor to an alternative method that does not rely on the phone network. Time-based One Time Passwords (TOTP) from free apps like Authy or Google Authenticator are common and supported by lots of popular apps like Gmail, Instagram/Facebook, PayPal, etc. Most banks also support alternatives to SMS, often through their own apps or sometimes via physical tokens, although these are a hassle and increasingly going away.

lambshaanxy
  • 99,649
  • 41
  • 569
  • 806
  • 4
    "when traveling internationally": and sometimes when not traveling at all. – phoog Jun 09 '23 at 07:23
  • 9
    Unfortunately, many services don't allow anything other than SMS-based 2FA. Many Indian services (and even banks) don't at least, from my experience. – Leaderboard Jun 09 '23 at 08:40
  • 1
    Great answer. I'd include a note that TOTP does not require connectivity, and that you must back up the recovery code given during setup. – BoppreH Jun 09 '23 at 15:18
  • But when travelling things much worse than not receiving an SMS can happen: what about if the phone is lost/stolen/broken? – Aaron F Jun 09 '23 at 17:12
  • 1
    @AaronF You use the recovery codes you've hopefully stored somewhere to set up your authenticator on another device. – lambshaanxy Jun 10 '23 at 07:01
  • indeed, and that would be a good addition to your answer – Aaron F Jun 10 '23 at 13:49
  • (i only mention because a couple of months ago my phone froze and stopped working for an hour - a crucial hour where i had to get hold of tickets which were in my email, and i only had access to someone else's phone. I couldn't get in because my recovery codes were in my bitwarden vault and my google notes, and could access neither of them without my phone or recovery codes. i've since upgraded to bitwarden premium, and put my recovery codes in a shared vault, and bought a pair of yubikeys. as it happened i was lucky: my phone started working again two minutes before i had to show the tickets) – Aaron F Jun 10 '23 at 13:54
  • 1
    text message (SMS) delivery is best effort only => I've traveled to dozens of countries with my home SIM card, including remote regions in developing nations. Never once did I encounter issues receiving a 2FA text message. Internet can be hit or miss sometimes but texting always works if you have signal. – JonathanReez Jun 11 '23 at 11:02
  • @JonathanReez Good for you, but I used to set up SMS gateways for a living, and trust me, they drop messages on the floor all the time: studies estimate 1-5% (!) are lost, and many more are delivered very late. https://en.wikipedia.org/wiki/SMS#Unreliability – lambshaanxy Jun 11 '23 at 23:35
  • 2
    1-5% lost might be bad for seeing a message from a friend but for 2FA it’s not a problem as you just request a new code. I guess my point is that your post might be unnecessarily scaring people. – JonathanReez Jun 12 '23 at 04:39
  • Some phones don't keep time accurately, so if you're using TOTP, when you have an internet connection take the opportunity to sync the Google Authenticator clock every 2 weeks or so. (Yes, bad phone time is a thing in some places, like the UK where the mobile phone service providers don't provide a time service that Android can use.) – Andrew Morton Jun 12 '23 at 10:12
  • 1
    @JonathanReez Unfortunately it's less 1-5% messages getting randomly dropped, and more 100% of messages not going through when roaming in country X on operator Y's network with a SIM for operator Z because the interconnect is broken, misconfigured, not agreed, etc etc. This most recently happened to my family earlier this year (X = Australia, Y = Optus, Z = Circles.Life Singapore) and it took an escalation to Singapore's telco ombudsman to get Circles to fix their SMS roaming on Optus! – lambshaanxy Jun 12 '23 at 13:52
11

You have a few options, ordered from most desirable to least:

  1. Switch from SMS to Time-based One Time Passwords (TOTP) apps, as mentioned in the other answer. The codes are generated offline in your device, so you don't even need internet connectivity. Important: when setting up TOTP for the first time with a service, you'll be presented with a backup code. Save it somewhere safe, you'll need it if you lose access to your device. Alternatively, you can save the QR code presented during setup.
  2. Really, try TOTP first.
  3. Switch from SMS to hardware keys like YubiKey, if the service supports it. Costs money and is not widely supported, but it's more secure and also available regardless of connectivity.
  4. Set your phone number to the one from your new international SIM card. Important: not all services accept international numbers.
  5. The next options are last-resort, avoid them if possible.
  6. Set your phone number to a voice-over-internet-protocol (VoIP) number, like Google Voice. You can then forward messages to your international SIM card, or read them from the app (depending on provider). Important: some services won't send 2FA SMS messages to VoIP numbers.
  7. Set your phone number to a trusted friend's in the US, then call/message them as needed.
  8. Leave your US SIM card with a trusted friend in the US, then call/message them as needed.

Relying on a friend's availability is tricky, especially over large time zone differences. And be mindful of phishing attacks; make it explicit that you'll call/message them each time you need a code, that they should only forward the messages to you, and to otherwise ignore any messages about that service.

And do a test run first, preferably still at home. If you can test with a VPN from the target country, even better. Security measures change depending on risk factors, and the service might be more stringent if it's your first connection from that country.

BoppreH
  • 211
  • 2
  • 5
  • 1
    As such a comprehensive list I feel like it's missing the (obvious?) solution: put the SIM card into an LTE router (I'm usually using Mikrotik or Teltonika) and access it over the internet (preferably through a VPN like Zerotier). Of course this requires a bit of IT knowledge to do it securely. – AndreKR Jun 09 '23 at 15:51
  • @AndreKR I've never used an LTE router, I didn't know you can see SMS messages. But I don't think this solution wins in either price or simplicity, so I'd be hesitant to suggest it. – BoppreH Jun 09 '23 at 16:14
  • @AndreKR that means leaving the sim card at home, then? – njzk2 Jun 09 '23 at 22:39
  • @njzk2 Yes, it does. (Unless you have a plan with multiple SIM cards, which doesn't apply to OP.) – AndreKR Jun 10 '23 at 15:39
  • 1
    I really like #8 as a relatively painless and foolproof backup plan. – Wowfunhappy Jun 11 '23 at 14:01
  • #6 doesn't strike me as a last resort... You can also have Google Voice forward messages to email, so that is even more handy, as long as you have a device that stays logged in to your email. (I would guess that services that can detect a Google Voice number would offer TOTP, so those might be complementary strategies.) – adam.baker Jun 12 '23 at 12:48
  • @adam.baker I had in mind the risk of the service starting to block VoIP numbers while you're traveling. But sure, as a complementary strategy it's pretty solid. – BoppreH Jun 13 '23 at 11:17
8

My answer sounds like a product pitch but it's not intend as such other than "it actually works". I have no affiliation with or financial interest in T-Mobile.

We use a T-Mobile plan in the US which comes with free data and texting in 100+ countries and is competitively priced. No need for the ridiculous fees that Verzion, AT&T etc charge for international service (which is typically something crazy like $10/day).

We've used it in over 30 countries so far and never had an issue. It's on the slow side, but coverage is good and it's certainly fast enough for authorization, Google Maps, and WhatsApp.

The phone works immediately when you enter a new country. You don't have to do anything and there is no need for a SIM card or a local phone number.

Hilmar
  • 99,992
  • 6
  • 170
  • 340
  • +1. Except for places with a very poor coverage, SMS delivery never had been a problem for me (I had to request code twice sometimes, but it happens domestically too) with a cheapest US plan I had a couple years ago, even without a data plan or any other international addons. TOTP is better in general, though. – aland Jun 12 '23 at 09:37
  • +1 This has been our experience also - wife has TMobile, I have Verizon. Every time we travel outside of NA she has calls/texts/data as soon as she connects to a network. I use wifi only and we set everything to go through her phone (she also gets hotspot so that helps for any service we need that isn't connected to her phone). It's slow, but we get all the notifications we need – Midavalo Jun 13 '23 at 21:12
5

Not going to rehash what has already been said, but just a few specific points:

  • If you will be connecting from abroad, your IP address of the moment will reflect the fact that you're abroad. So that means the risk of triggering "security checks" goes up. As an example, years ago I logged in to Paypal from Portugal, just to check my balance, and they blocked my account. Of course this is Paypal but this is a taste of situations that can arise when your browsing patterns change all of sudden.
  • I too strongly recommend to ditch SMS and use TOTP whenever possible. My password manager (KeepassXC) does that, so no need to depend on Google or some third party authenticator. And it does form autocomplete too (convenience).
  • SMS delivery is unreliable in general and not guaranteed when it involves roaming abroad
  • Verify that your phone model is fit for use in the target country: frequency bands vary from one country/continent to another
  • Regardless of what people are saying on the Internet, verify your current contract with Tmobile/Walmart - it may require adjustments to enable roaming abroad.
  • I understand that having to reconfigure every service may be tedious. But assume the worst and start with the services that are the most critical to you, for example E-mail. Perhaps you usually connect through a web interface where 2FA can kick in but what about POP/IMAP access?

To address the suggestions from @BoppreH:

  • Using a virtual number (VOIP) for SMS verification is a good idea but that too requires reconfiguring your services. And paying for an extra number you will only need sporadically. The problem (and irony) is that the supplier (Google or other) may itself trigger 2FA before granting access. So make sure it won't be SMS, or you can choose among different options. A lot of people depend on Google for many things like E-mail. Being locked out of Google amounts to disaster so I recommend to minimize dependence on Google as much as you can. Having a single point of failure is risky.
  • Using a VPN before you leave is also a strategy so that your providers "get used" to your newly-reported location. 2FA may kick in on first use, but you'll be able to handle that while you're still in the US. Downside: you'll pay for this, and this not a silver bullet. Actually, IP address blocks that are known to belong to VPN providers can be deemed more risky, because there is a percentage of users who are up to no good, trying to conceal their true location to carry out objectionable activity.

Note: many services look at the device fingerprint - if they notice a change, you may have to prove it's you. So if you try to access your services from a "new" device - and what's more, from abroad - expect additional verifications.

Kate
  • 216
  • 1
  • 2
  • Using a VPN before you leave is also a strategy so that your providers "get used" to your newly-reported location => maybe this was necessary a decade ago but nowadays everything works fine even if you connect from a nation on the other side of the world all of a sudden. I've only needed to use a VPN if the website I need is blocked from non-US IP addresses. – JonathanReez Jun 11 '23 at 11:03
3

Newer phones have "Wifi calling". Like the name implies, it lets your phone operates normally using Wi-Fi instead of cellular connection. My phone, Samsung A13 5G has it. It also has dual SIM slots, so I can use both my US and local SIM.

I never had any issues with 2FA when I was in Asia for almost 2 months. But having 2 SIMs did confuse some of the apps I installed (they checked for local phone numbers). So, I needed to disable one of the SIMs. And many times, I forgot to re-enable it. Lol.

Jose Mulia
  • 83
  • 4
  • 1
    While this may work in a technical sense, its real-world usefulness is limited. Whatever transaction or access is being "confirmed" by the SMS link must be responded-to by the user promptly upon the account institution's sending the SMS code. Always being logged-in to a local wifi network (while shopping, etc) may not be easy or even possible. – DavidRecallsMonica Jun 09 '23 at 17:50
  • This is a data sample of 1, which is myself. And I don't think it's wise anyway to rely one just one thing. Not every country have easier access to obtain local SIM vs getting on the WiFI. In Indonesia for example, you actually have to register your phone's IMEI in order to use any of their cellular data. Otherwise, local SIM won't even work on your foreign phone. – Jose Mulia Jun 09 '23 at 22:07
  • @JoseMulia you can sidestep local IMEI registration schenanigans entirely by purchasing a travel SIM or an eSIM before you leave. They're extremely cost competitive now and can be activated before you travel. – JonathanReez Jun 11 '23 at 11:05
  • My phone doesn't support eSim and the IMEI of the phone is still need to be registered. Indonesia has only one cell company and it's a government entity. I was at the phone store in Lombok. And the registration is all still being done manually. What they did was they talked with the registration people through a special Whatsapp chat group, giving my info, passport, etc. Also, many phone stores in Bali and Lombok understand how to do it. Not the case in Jakarta, you need to get it done in the airport right away. And you're probably out of luck if you're outside those areas. – Jose Mulia Jun 11 '23 at 17:23
3

Try services that let you access SMS remotely

(Note: I'm an Indian, and my experience is with Indian and Japanese mobile providers [and to some extent travelling in the US], but I think this should work well enough in any combination of countries in which you can access the internet and Google services work fine.)

In the past, I have had some luck using the web interface of Google Messages (https://messages.google.com/web/) for accessing messages from an Indian SIM that I left behind on which I would get OTPs from Indian banks (none of the five banks I have had experience with support TOTP apps). To do this:

  1. You need to authenticate the browser you're using with the phone in advance.

    • However, this is done using a QR code, so if you have someone you trust that can unlock the phone for you, then you can authenticate while you're already travelling, and the trusted person only needs to be available for the authentication, not whenever you need OTPs.
    • This can be a browser on another mobile device. I have used Firefox for Android without problems.

  2. The phone must be powered on and have internet connectivity.

    • I used a spare, old phone, keeping it plugged into a charger and at home.
    • I think that if the phone reboots, it might need to be unlocked, but I'm not sure about that.

  3. The browser needs to be re-authenticated periodically (every two weeks, IIRC).

    • If you're travelling for more than that, you could set up an agreed-upon time with a trusted person to unlock the device and forward the QR code to the device.

Provided you set it up in advance, this can work without the involvement of anybody else for up to two weeks. Any longer or if you are already travelling, you'll need somebody's help.

With iPhones, I think messages can synced with a Macbook or similar Apple devices over iCloud. That might be an option if you're in the Apple ecosystem.

muru
  • 788
  • 1
  • 6
  • 14
  • The iCloud for Messages page seems to suggest that Text Forwarding should be updated separately for SMS support, but that feature only works via Continuity, which requires being nearby (Bluetooth) and/or on the same wifi network. If this actually worked across the globe it would be a great option, assuming you could buy a cheap/broken iOS device just for this purpose. – fregante Jun 14 '23 at 18:22
2

Not an American, but from my experience there's no problem receiving SMS abroad.

When traveling abroad with no roaming plan, you can't make it receive calls, and you can't send text messages, but incoming text messages simply work, at no charge.

I never experienced significant delay also.

This of course requires keeping your home SIM card in your phone. That's no problem of your phone supports dual DIM or eSIM. Of not, you may want to take an extra phone for the stole purpose of receiving SMS.

Of course, I can't guarantee that it would work for you. Having a plan B is anyways good.

ugoren
  • 4,202
  • 15
  • 31
  • I think it varies by country/operator. My Italian SIM card has faithfully received SMS in a dozen countries, whereas other SIMs like from the Philippines just show “No service” when abroad. – fregante Jun 14 '23 at 18:26