| My guess is the most common attacker is someone sitting on a computer in a different country/continent. So: 1) Getting a mobile phone number seems much more difficult than getting an email. It provides some amount of country verification: If a service runs for let's say Danish people, then they can expect the phone number to be a +45. 2) taking over someone's email seems much more easy than taking over someone's phone, since many people reuse same password everywhere, then if you already have the password of the service requesting the OTP, good chance is that you also have the email password. The email address is not hard to find if attacker has password to the first email too. Hoping for security by obscurity (i.e. the 2nd email is now a "secret") isn't great. 3) physical security: without sophisticated attack, SMS can only be received on the actual user mobile phone, even if a phone with no passphrase. "If the phone is stolen" isn't a realistic scenario against a scammer on another continent. Also from a theoritical point of view: it's a completely different communication channel, so if someone has somehow taken over the first channel (via some malware running on the email client/computer), then they still need to take over second channel.
So for instance, if a USPS snail mail wasn't so slow (or you don't need the OTP code right away), even if really insecure, it'd be better than 2nd email, as it follows same benefits as SMS. |
> Also from a theoritical point of view: it's a completely different communication channel, so if someone has somehow taken over the first channel (via some malware running on the email client/computer), then they still need to take over second channel.
...is a very good point. Although, (without any data to back up this claim), I would think most users with a compromised device have a fully compromised device.
Edit:
> Hoping for security by obscurity (i.e. the 2nd email is now a "secret") isn't great.
To clarify, that's not exactly the point. If the attacker discovers the value for the phone number or 2nd email (through a data breach), then it becomes targeted, which brings us back to the security of SMS vs email (the parent article).