It’s not really a security concern, but SMS is only one factor (and EU regulations require banks to ask for two).
SMS fees outside the US are also orders of magnitudes higher – paying a few cents for that can make the entire transaction uneconomical for banks, since interchange rates are also heavily capped in Europe.
I have had too many phones land in water, then get bricked, then be unrecoverable. Then find that 2FA locked me out of key stuff. Like my Apple account.
I know that SMS is insecure. But I can get it back after a predictable disaster.
With my Apple account, I didn't even remember 2fa having been set up at all. And if I had backed it up, it would have been to a computer that itself had been replaced when it died. With the Time Machine archive having been corrupted and unrecoverable, so it would have been lost.
Today I've noticed the qr seed idea. But I'd prefer having my personal phone having access to nothing irreplaceable, and not worrying about it if it dies.
If I work in an environment that needs to be secure, then I'll worry about following security recommendations. But to whatever extent possible, I prefer not working in an environment that needs to be secure. And then not bothering with the UI disasters that secure solutions regularly impose on people.
It’s not really a security concern, but SMS is only one factor (and EU regulations require banks to ask for two).
SMS fees outside the US are also orders of magnitudes higher – paying a few cents for that can make the entire transaction uneconomical for banks, since interchange rates are also heavily capped in Europe.
I have had too many phones land in water, then get bricked, then be unrecoverable. Then find that 2FA locked me out of key stuff. Like my Apple account.
I know that SMS is insecure. But I can get it back after a predictable disaster.
most 2fa codes you can store the qr seed you get into your authenticator app as backup code.
sms is trash yeah, 2fa just works if you care enough to know how (in most sites)
With my Apple account, I didn't even remember 2fa having been set up at all. And if I had backed it up, it would have been to a computer that itself had been replaced when it died. With the Time Machine archive having been corrupted and unrecoverable, so it would have been lost.
Today I've noticed the qr seed idea. But I'd prefer having my personal phone having access to nothing irreplaceable, and not worrying about it if it dies.
If I work in an environment that needs to be secure, then I'll worry about following security recommendations. But to whatever extent possible, I prefer not working in an environment that needs to be secure. And then not bothering with the UI disasters that secure solutions regularly impose on people.