[verelo]

Correct! Thanks for posting this, i just enabled it.

For anyone who wants to set it up you can find it by...

1) Logging into Easy Web

2) Click your name in the top right

3) "Password and security"

[ahelwer]

SMS-based 2FA is less secure than just a password. You unfortunately decreased the security of your account :(

[kevin_nisbet]

Can you elaborate?

I'm not sure I understand why you believe SMS codes as a second factor compromise the security of the password authentication.

[derefr]

It’s very easy to socially engineer a cellular ISP into redirecting arbitrary customers’ calls/texts to you, with just publically-available information.

[A2017U1]

That only matters if account reset is done through SMS. Barring that it is another layer of protection albeit weaker than TOTP.

[derefr]

Usually if you have a given user's username and password (from some big accounts breach), but not 2FA SMS access, you can still access enough accounts of theirs (because people still tend to use the same password for everything!) to see all the personal details required to phish the 2FA SMS redirection out of their cellular ISP.

Or, sometimes, you don't even need login access; one notable attack has been to the credit-reporting systems, where to unfreeze your credit report (and thereby apply for new credit lines) the reporting agencies require your name, birthdate, SSN, and SMS verification. But if the attacker already has name, birthdate, and SSN... well, that's all they need to get the cellular ISP to redirect the SMS verification, as well.

[Rafert]

How is requiring a SMS token in addition to a password less secure than just requiring the password?

[ahelwer]

Because SMS is used in password-recovery workflows, meaning it isn't a second factor at all - it's a single, easily-breakable factor.

[jeromegv]

Except your bank already has your phone number. If phone was already part of the recovery process, it didn’t make it any less safe by enabling 2FA SMS

[kevin_nisbet]

This only happens if SMS get's used in the password-recovery workflow. I don't think there is evidence that TD is using SMS to replace password reset.

So I really don't see how this makes security worse.

[verelo]

Maybe, that depends on the implementation. I don't believe they allow password resets from Easyweb via SMS, so i believe in this case it's at worst "as good as it was before", and only when they've managed to hijack my phone number.