[Splines]

It doesn't stop it, but it does raise the bar.

Since these guys knew how verizon works internally I wouldn't be surprised if they could forward his cell # somewhere else. Some 2FA systems require a PIN for auth, but they have his verizon one already, which is probably re-used everywhere.

[antsar]

This is why SMS- or phone-based 2FA is not a good idea. HOTP/TOTP is the right way to implement 2-factor auth.

    https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
    https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

[azinman2]

And totally impractical for most people...

[antsar]

Google Authenticator is pretty easy to use, as are the alternatives. Also really easy to provision. Not sure how SMS is more practical than an offline code generator.

[azinman2]

First notice how "pretty easy" isn't the same as straightforward. Good luck getting my mom to figure it out.

If you lose your phone, upgrade to a new one, or erase and restore it you lose all your authenticator credentials. That doesn't happen with SMS.

If you're in a situation where security is paramount, then physical cards or authenticator are a better way to go. If you're 99.9% of the population, Sms is a far better solution.