[mullen]

The only way I see this problem going away is when regular retailers start supporting software and hardware two factor authenticators.

I use Google Authenticator on any website that supports it and it does not impact the customer experience at all and it really improves security.

[QUFB]

Agreed, but keep account recovery in mind.

Account recovery is a major pain point for any site that supports TOTP 2FA. If you're not using a TOTP application that supports cloud backup (like Authy), when you lose or replace your mobile device the existing TOTP tokens are useless as they can't be recovered. This results in some type of account recovery process to reintroduce the 2FA tokens. Often these recovery processes introduce additional security issues that are equivalent to not supporting 2FA at all, or they might require costly human intervention.

Don't get me started on SMS 2FA.

[drchickensalad]

I'd like to get you started on SMS 2fa. I deal with this a lot at work and would like as much information as possible!

[jandrese]

SMS is terribly insecure. Using it as a security system is a bad idea.

SMS verification is more for discouraging bots from making accounts by making it expensive--you need to buy a cell phone. Every SMS verification system refuses to send to VoIP type accounts for this reason.

[jsoverson]

Couple this with the fact that mobile services are also subject to credential stuffing attacks constantly and, for the services that allow you to read SMS messages online, the attackers who take over your mobile account also gain a critical piece of your 2FA protection.

[davchana]

Exactly that's why I have disabled my Google email recovery via phone number. Only possibilities are Auth via an existing signed-in device, Google Auth, or backup codes.

[davchana]

I always save that TOTP Token or QR code in my seperate keepass database, so that if my Google Auth app breaks for any reason, I can install it fresh & re-scan those QRs from keepass.