> First and foremost, if you use any services online that have two-factor authentication, be sure it is not SMS-based. Use an app like Google Authenticator or Authy for this purpose instead.
It really disappointing that in 2024, this is the "right" guidance to give, but we still know there's a whole lot of really important stuff that still uses SMS for 2-factor authentication.
Half the time, even if a service supports autheticator app 2FA and not just sms, all it takes is just clicking “use another method” on the 2FA page, and it defaults to sms-based 2FA anyway. And it would still require a phone number when registering, so there is no way to avoid that fallback anyway. Borderline useless.
The services require a phone number not because it adds security, but because it is a monetary challenge for scammers. If a service allows for multiple 2FA types it usually demands SMS for the initial setup, but once that is done you can remove your phone number to force it to switch to TOTP or a token. It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
That’s totally fine, i am not against services requiring phone numbers during registration. I am just against those services allowing sms to be used as an easy 2FA fallback when an app-based 2FA is enabled. Because doing so makes app-based 2FA kinda useless.
I agree with your points, it just feels insanely rate to see a service utilizing phone number requirement for registration the proper way (i.e., the way you describe).
> That’s totally fine, i am not against services requiring phone numbers during registration.
I am completely opposed to services having any PII (Personal Identifiable Information) beyond an email address because the dumbass services keep my PII and then lose it when they get hacked.
If I can go collect a million dollars from a company that loses my PII, I'd let them collect it. SInce I can't, my best option is to refuse.
If you want to verify, take a credit card number. At least I can cancel and change that when some dumbass get hacked and loses it.
> It's generally a good idea to not have your phone number stored in a zillion websites anyway, every copy is just another vulnerability for hackers to exploit when they knock over that service.
Are you relatively confident that these sites actually delete removed phone numbers?
Every freaking time I get a new phone I forget the step of porting my authenticator keys. Wow, is it ever a drag trying to set them up again. Often, you need to do zoom calls to verify your identity. Takes days. This is the type of thing that will push almost everyone towards SMS. Also, it's easy for users and developers, and no one needs to learn anything. Solves these issues and we are good to go.
Google Authenticator makes it very unclear to average users how you back up or transfer stuff to other devices. Sites that support Google Auth are gonna have to deal with lots of locked-out users trying to recover access, which can negatively impact security.
If anything hopes to replace SMS, it needs to be as user-friendly as SMS.
Google auth is not the only authenticator that supports TOTP. Any time a site tells you to use google authenticator you should be using a better service like 1password, bitwarden, lastpass, etc... to scan the QR code and store the TOTP code.
I'm flabbergasted every time I switch jobs and some jamook in IT or Security says we have to sue google authenticator and that other authenticators aren't allowed. Then there are constant lockout events generating tickets for those teams when people delete the app or get new phones.
Indeed I was once ordered to implement oauth but keep the email password reset because too many people would get locked out otherwise. And I almost locked myself out while testing.
It doesn't have to be Google Auth, it can be any 2FA app (1password, Bitwarden, Authy, Microsoft Auth), whatever. It's just a safer way to do 2FA than SMS.
Google Auth is just one of the earlier popular apps, so it's a common example. It kinda sucks though, cuz if you lose your phone you have to reset all your 2FAs.
It really disappointing that in 2024, this is the "right" guidance to give, but we still know there's a whole lot of really important stuff that still uses SMS for 2-factor authentication.