| >System rules can, and often are configured to prevent password reuse How? And even if it's not verbatim password reuse, people often choose extremely similar passwords such that given one password, the other one can be guessed in a few guesses. Password complexity requirements don't stop password reuse. >Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless. I agree that SMS is the worst form of 2FA. There are others though. >It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication. You're conflating SMS 2FA with all forms of 2FA. There are other forms. The biggest threat that people face today is phishing. That's stopped by U2F/WebAuthN. One of the next biggest threats is credential stuffing. That's stopped by all forms of 2FA, regardless of how weak SMS is. >Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them. U2F and WebAuthN protect against these types of phishing attacks. >A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often. So use a different type of 2FA than SMS. |