| For the record, phone numbers and SMS are a security vulnerability. Current recommended best practice once a U2F token and authentiator app are setup is to remove the phone number from the account (which may not be an option for many services). https://techsolidarity.org/resources/security_key_faq.htm there are at least three reasons why you should avoid using text messages for two-factor authentication. · Your phone number can be easily hijacked by someone who calls the phone company and pretends to be you. · The text message can be viewed or redirected while en route to your phone. · Many phones are configured to display text messages on the lock screen. If text messages are the only way to add two-factor authentication to your account, they are better than nothing. But if you can use an alternative method, like an authenticator app or a security key, use that instead. https://news.ycombinator.com/item?id=14106578 > tptacek: The real answer for "why not SMS" is "because both teenagers and intelligence services can get a phone number redirected; your phone number is not your phone." |