>>> I really wish that were illegal. A phone number is a phone number.
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
Ironically, this is only true for prepaid SIMs. As a result, in some EU countries it's easier to get a month-by-month postpaid plan – sometimes there's no KYC at all for these...
Yes the problem with UK ones though is that they route all the traffic through a prude proxy if you don't register. Because the UK is getting back to the Victorian era.
I had a SIM from three Ireland that tried to apply this UK policy also on the republic of Ireland customers where this is not required. It was unusable, it blocked pretty much everything it didn't recognise like VPNs, even email servers. Luckily there's many sane providers there too. And no they don't require registration.
Possibly less secure, considering the existence of sim-cloning crime rings. SMS 2-factor potentially gives a hostile actor a way to 'prove' that they're you.
I'd argue that there isn't one: you have to offer multiple choices. Auth through any TOTP app, Yubi key, pre-generated codes, mailing a physical code generator, etc.
> Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
I don't think that's true. Is there even any way for banks to ask your mobile operator for your identity (or confirm it), in the way that US banks seem to be able to? That seems like it would run afoul EU privacy regulations.
And regarding the EU "anonymous SIM" regulation: That one ironically only seems to apply to prepaid cards. To my surprise, I was just able to register a postpaid line using no identity verification whatsoever a few days ago...
> This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
The "thing you have" is actually the SIM card. That's supposedly why email OTP does not count – an account on some server is not, or at least not cleanly, "something you have". (A pretty poor decision, IMO, but that's a different story.)
> I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
All demographics except for people that change phone numbers frequently. All locations except those that don't have cell signal (or for plans without roaming). All mobile devices except those without a SIM card slot. An authentication solution for absolutely everyone! /s
European speaking. For completeness:
Financial directive PSD2[1] allows to use an SMS as a 2FA only because there is an KYC already done for that number (anon SIM are no longer allowed in the EU)
Also note that the 2FA is not the OTP code you receive. This code is just a proxy for probing "something you have", with the "something" being the phone number which, again, is linked to a physical person/company.
I have commented this several times, but as of today, SMS is the only 2FA method that can be easily deployed at scale (all demographics, all locations, compatible with all mobile devices)
[1] https://en.wikipedia.org/wiki/Payment_Services_Directive