[JeanMarcS]

I was going to say something like that.

If official websites (tax, banks, etc...) start to use app 2FA, people with only a mobile phone will have to use, what, physical mail ? Or will they have to go to buildings in person ?

I agree that the more secure the better, but we mustn’t stop thinking of a big part of population that can not afford smartphones (or key or whatever). Same problem for non technical persons.

[Spivak]

Why worry about people affording it? TOTP hardware keys are super cheap, just give them out to people without phones at the local BMV. There are some that are credit card sized and one battery lasts 5+ years.

Alternatively there are a number of desktop based 2FA clients:

- Authy - GAuth - JAuth - WinAuth

[always_good]

The thing you're missing is that you're still at the mercy of the establishment with which you're authenticating. Just like how my 1024-character banking login password doesn't stop my bank from giving someone else my debit card.

To suddenly arm a bunch of people with a new authentication paradigm like hardware keys would just result in a lot of people losing them and then having to go through the establishment's reauthentication channels anyways, which are the weakest link in these systems. And the influx of people needing account resets further degrades the security of the channel the same way you stop asking to see IDs when customers are paying with credit during the lunch rush.

It's not a free lunch.

[iak8god]

I'd be happy if such sites would just support more serious options than SMS, without necessarily requiring it.