I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.