[icanhasfay]

I think most of the suspicions so far have been pointing to a sim swapping attack.

[rtempaccount1]

Hopefully if that's the case, more attention will be paid to the fact that using mobile phones for 2FA or identification on high value services is a bad idea :)

[mavhc]

Using phones is fine, using phone numbers is the problem. TOTP is great

[tomatocracy]

Until the authenticator app which holds the TOTP secrets in clear text is on the same phone as you are using to access the website/app in question to start with. Then you'd probably be better off instead storing a token in the secure enclave in the app itself instead.

[Mirioron]

I don't understand why people do that. Your 2nd authentication factor should not be something relying on the same device that you're using.

[roywiggins]

It reduces the set of people who can access your account from "people with the password" to "people with the password and access to my phone."

It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.

[jnbiche]

TOTP is OK (probably would have been adequate for @jack).

U2F is "great".

TOTP can be phished, whereas U2F is virtually impossible to phish.