[johnisgood]

SMS 2FA can bite you in the ass. Since the phone is with you all the time, there is a higher chance of something happening to it that makes it damaged enough for you to not be able to use it. Now, you are in possession of the password, the IP is the same as the one you signed up with, you have access to your e-mail, but you still cannot access your account. You contact support, you tell them the same thing. They will tell you they cannot help you because "security", and do nothing. You are now unable to access your account, most likely forever.

This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.

[drewmol]

>Any experiences or thoughts?

I used to have Ting for phone service, you can require mfa/lock number porting, disable or activate or change a device/sim, toggle voice sms and data and forward calls from their multi factor authenticated dashboard. Requested an extra sim and kept a dumb cdma phone lying around in case I broke lost or someone stole my phone. Also used an app to sync texts in case of broken scren. Now I use verizon and keep a spare cdma device, you can change devices from their web portal in combination with a message syncing app. You could also port your # to google voice for similar features but I assumed google will scrap it with little notice so I have not.

[tgsovlerkhgsel]

The reason why companies love SMS 2FA is because most people keep their phone number. In a scenario like you described, most people would walk into a <whatever their provider is> store, show ID, and get a new SIM.

This way, the company using SMS 2FA has effectively outsourced this recovery path to the phone companies. Instead of handling recovery (and potentially liability for getting it wrong) themselves, they can just tell you to go recover the phone number. And when the phone company gets it wrong, you get stuck in a nightmare of finger-pointing instead of having a clear culprit to hold responsible.

[tiborsaas]

> You are now unable to access your account, most likely forever.

Nah, you just have to wait till you order a new SIM from your carrier.

Some companies also offer offline, 1 time passwords. 2FA SMS can be a pain in such cases, but it's not that bad.

[johnisgood]

Oh, I just noticed I typed "SMS 2FA". My bad! In that case, you are correct, but in my particular case I lost all data related to Google Authenticator, including the shared secret. Customer service refused to help, despite having had the same phone number, because it was not SMS-based 2FA. Sorry! I should not get on HN when so mentally exhausted. :(

[tiborsaas]

We use Google Authenticator too at work, I had to go to IT in person to get a new one when I got a new phone. It makes sense to refuse to give you based on solely the phone number. However, there should be a process to renew these credentials, phones die too.