[TacticalCoder]

> The reason SMS 2FA is popular, is because the average use case is that the user's (reused and/or weak) password was captured somewhere...

People are not disputing the effectiveness of 2FA. They're saying that SMS is not a reasonable way to implement 2FA.

All my banks' websites in Europe (I've got several) are requiring the use of a physical device, provided by the bank, and protected by a PIN. I need to use such devices both to log in and to confirm wire transfer / stock buys / etc.

U2F keys like Yubikeys and physical 2FA devices like those provided by my banks are way better than SMS 2FA. Why not strive towards that instead of saying that SMS 2FA is popular for reasons and that nothing can be done about it?

[vanilla_nut]

Physical 2FA devices impose a significant price burden on folks who don't have a lot of disposable income. Imagine scraping by to pay rent from your minimum wage job, and you're told that you can't sign up for $SERVICE because you don't have a new enough phone or a yubikey.

Email 2FA works just fine. Set a long, secure password for your email account. Trust that your email provider won't allow anyone to brute force their way into the account. Don't use that email for any other accounts. Bam, security is fine.

Stop trying to force more and more purchases and apps down other people's throats. Maybe I don't have a smartphone or a yubikey. I should still be able to use services, especially when many of them are required to function in society today.

[pmontra]

Italy here.

A couple of my banks let me login by confirming my identity with a fingerprint on my phone, in their app.

Another one still supports their old 6 digits OTP generator, but also has the app with the fingerprint authorization.

Mastercard does key6 but they or my bank also send a SMS with a numeric code.

Paypal sends an SMS with an OTP.

It seems that nobody wants to spend money on hardware here.

[ghaff]

The parent did refer to banks giving them to people. I just got a USB one in a swag bag at an event from Google so I guess they're pretty inexpensive these days. But I don't disagree with the basic point. Most everyone has a phone and won't carry around a separate hardware device in general irrespective of price.

[pmontra]

Yeah, of course I won't do that because I might lose that device and it takes space, times the number of banks giving me their own hardware.

I keep my hardware key generator at home. I need it only to perform some operations from my computer. Everything I do outside home is with the phone, which funnily is its own 2FA device. Banks and regulators accept that for the sake of convenience.