| Beyond marketing, I've never understood SMS as the default 2FA over just using a second email as the 2nd factor. Everyone has a 2nd email, personal + work or school. You could argue that both emails are probably accessible from an email app on the phone, but if the phone is stolen, then that's no worse than SMS or ToTP apps also on the phone. You could argue password reuse, but if the address used for 2FA is never exposed to the end user after being set+verified, then the attacker would have no way of knowing the victim's 2nd email address. Unless the attack is targeted... But if the attack is targeted, then we're back to SMS being vulnerable. So, what it comes down to is 2nd email as 2FA is more secure and more efficient than SMS out of the gate... (and much cheaper)... And, if I use a very obscure and otherwise not used email (with its own security + strong password), even a targeted attack has no better chance than a ToTP app on an offline device, like an iPod touch. So: - 1st.) ToTP on offline device (most secure, most expensive, most difficult to learn, hard to use), - 2nd.) 2nd email (can be most secure, cheapest, easiest to learn, easiest to use), and - 3rd.) SMS (least secure, mid-expensive, mid-learnability, mid-usability). Why didn't we all default to 2nd email then, instead of SMS as a paradigm? Actually, was used, and still used by Gmail from the beginning (even in conjunction with ToTP now)... |
1) Getting a mobile phone number seems much more difficult than getting an email. It provides some amount of country verification: If a service runs for let's say Danish people, then they can expect the phone number to be a +45.
2) taking over someone's email seems much more easy than taking over someone's phone, since many people reuse same password everywhere, then if you already have the password of the service requesting the OTP, good chance is that you also have the email password. The email address is not hard to find if attacker has password to the first email too. Hoping for security by obscurity (i.e. the 2nd email is now a "secret") isn't great.
3) physical security: without sophisticated attack, SMS can only be received on the actual user mobile phone, even if a phone with no passphrase. "If the phone is stolen" isn't a realistic scenario against a scammer on another continent.
Also from a theoritical point of view: it's a completely different communication channel, so if someone has somehow taken over the first channel (via some malware running on the email client/computer), then they still need to take over second channel. So for instance, if a USPS snail mail wasn't so slow (or you don't need the OTP code right away), even if really insecure, it'd be better than 2nd email, as it follows same benefits as SMS.