[motohagiography]

Dealing with 2FA ux right now. There is a massive gap between threat intel people, product owners, and end users.

From an identity assurance perspective, SMS is the best available. From an authentication perspective, it's increasingly dodgy.

Reality is telcos have user enrollment almost on par with bank KYC, where everything else has great authN but with user asserted identity.

Critics of SMS are technically correct, but 9/10x I don't think they have had to solve identity in an open or federated environment.

[techsupporter]

> Reality is telcos have user enrollment almost on par with bank KYC, where everything else has great authN but with user asserted identity.

Are you sure? I don't mean that to sound hostile, genuinely asking. Because, at least in the States and Canada, I can get all of the +1 numbers I want on real SIMs for around a dollar apiece--or less if I work at it instead of just trotting down to Walgreens--and attach any name I want during the sign-up flow. In point of fact, I have a vanity 212 number I've owned for years. It is currently parked on a SIM registered to the name George Crabtree (that name even shows up on CID/CNAM).

Best part? The MVNO that provisioned the SIM is using a white-label service from one of the big four. Even the ICCID prefix is from the actual carrier and not the MVNO. That means that all of the automated API checks show it as a "normal" phone number provisioned on a "regular" SIM...and owned by Constable Crabtree.

[motohagiography]

It's the credit check part of the KYC for telcos that makes them like banks. The pay as you go SIMs, absolutely arbitrary, but there are back end id verification services offered by telcos that have been in design a very long time. Not sure their current status, but they have the KYC data.

[latchkey]

^^^ this. SIMs are super easy to get.