[aaronlifshin]

He writes: "Of course if that’s a major problem, then offering 2FA logins and password verification via cell phone wouldn’t make much sense either."

But this is not necessarily true, as spoofing a source phone number of an SMS is a lot easier than receiving an SMS that was sent to another number.

[paxys]

He also skips over the fact that 2FA means second factor. Even if insecure it's still better than nothing.

[hombre_fatal]

Only if 2FA doesn't open up customer support channels that defeat the point of 2FA, like the common "oops I lost my phone lol" channel attack that gives you access to an account if you can provide the other factor.

(Still) works against Amazon btw: https://medium.com/@espringe/amazon-s-customer-service-backd...

I'd say 2FA is often worse than 1FA because customer support systems are rarely prepared to say "sorry, can't give you access to your account :/". Because 99.9% of the time, it really is a user accidentally locked out of their account.

[tsimionescu]

That has nothing to do with 2FA, has it? Having a recovery procedure that escalates up tp direct phone contact is the norm with or without 2FA. This system is probably older than the Internet, with banks operating on similar principles (of course, it escalates up to physical presence there).

[closeparen]

If the recovery procedure requires only one factor, then “2FA” is a lie.

[alpb]

Not if you live in a surveillance state such as many middle-east countries.

Many Telegram accounts were compromised in Iran a while ago because of this. https://www.wired.com/2016/08/hack-brief-hackers-breach-ultr... Similarly I know for a fact that in many countries your GSM provider stores your texts so you can view/reply them from their web portal. (As you can imagine despite an attacker might not have your SIM card, they might find your user/pass to log in your GSM provider's portal.)

Also state-sponsored actors do tap into GSM operators since SMS is not end-to-end encrypted. Add this to the previous attack vector and you'll see that wiretapping inbound SMS is surprisingly not that hard.

[azernik]

Resistance to state actors is a pretty high bar.