Let’s start with SMS: http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
Email suffers from other problems. There is very little security built into the email protocols, and there’s a bunch of issues with HTTPS being discovered recently.
Can I create a more secure login system than Gmail? Easily. Note, though, that that is only part of the problem.
Here is what you do:
- Generate a key pair for public key cryptography. You can do this in JS in the browser these days.
- Send the public key to your server along with whatever user identifying information you want.
- Have the server sign it if it is happy with the user information, and send it back signed.
- Install the private key part and the signed public key as a client certificate and use that for authentication from now on.
Is this convenient? With some effort, it could be made to work. Mostly, though, there are some lessons to be learned from it:
- Password based authentication is insecure, get over it.
- Replacing it with less security (as proposed) is a terrible idea, unless you work for the NSA. A more secure future requires more key management, not less. The key is to drive browser adoption of good key management solutions. Good key management makes using unique site keys easier, too.
- This is still a bad solution; get used to the idea that SSL/TLS is a stopgap solution for security. We need more end-to-end security, and less transport security. But that leads off into an entirely new direction.