[velavar]

I don't think that folks so much "moved" to SMS 2FA as much as were with it from the start. SMS 2FA is so ingrained in the finance/fintech industry that it's pretty rare for me to see a financial company offer the option to set up an Authenticator 2FA. Also, there is always some part of the consumer population that is still not on a smartphone and even if they are, they may not be "app-savvy" where they know how to install or use an authenticator app. For this reason, I think most finance companies will steer clear of the Authenticator app and go directly for SMS 2FA or worse, email 2FA.

[ilamont]

Nobody in my family - parents, kids, spouse - knows what an authenticator app is or would what to do if presented that as an option, although my teen could probably figure it out.

For everyone else, it would be a cascading series of installation and password and app switching and immediacy problems. This would create a great deal of frustration, and ultimately a call to family tech support (me) or the service provider if human tech support is an option which is not the case for many companies such as Google and social media firms.

[brewdad]

The biggest hurdle to authenticator app adoption for the masses is the one that only bites you a year or more down the road when you get a new phone. If you didn't transfer your seed info over to the new phone before trading in the old one, you are locked out of all your accounts.

[slothtrop]

for this reason I've kept storage in keepass and backed it up in more than one place, but admittedly it's possible to lose everything. You need to expose yourself to a little more risk just to mitigate that possibility.

The other issue is that many smartphone owners don't have a computer they would back things up to. Just "cloud".

[jimt1234]

I finally got my 75-year-old mother to add 2FA/SMS to her online banking account. She calls me (from her landline) every time she tries to login. I have to walk her through the process. We usually have to request a new auth code be sent at least twice. It generally takes 10 or 15 minutes, although, admittedly, half the time is her complaining.

So, yeah, there's no way I could get her to use an Authenticator app. (Also, there's, "...all these apps scare me.", which isn't a bad thing considering the first (and last) app she installed on her Android phone was a malicious 'flashlight' app that kept displaying some sort of crypto ads.)

[bfdm]

Have you considered that your mother just uses this as an excuse to talk to you on a regular basis?

[jimt1234]

Absolutely. And it reminds me of a conversation I had with my grandmother's doctor a few years before she passed:

- How's grandma doing? Is she gonna be okay?

- Well, let me ask you, does she complain much?

- All the time!

- Then grandma's doing fine. It's when she stops complaining - then, it's time to be concerned.

[fortran77]

Wait until you mother is 89, like mine! It just gets worse. She is unable to retrieve a text message once it times out off her screen. (She uses a flip-phone).

[rootusrootus]

> it's pretty rare for me to see a financial company offer the option to set up an Authenticator 2FA

As a data point, USAA (which is not the biggest bank, of course, but it is not tiny either) has supported TOTP for years. There are probably others, but at least some banks support relatively modern security.

[brewdad]

My credit union supports TOTP. They also sent me a one time code generator thingy that I can use as a 2nd factor. Trouble is, there's a big link on the login screen that will allow anyone to bypass those options and fallback to SMS or email.

[GoblinSlayer]

The real meat is in password recovery options.

[rootusrootus]

And the other weak link -- people. My wife had several thousand dollars stolen from her account at USAA because someone called and managed to convince the phone rep to give them the login name and reset the login password. You'd think this kind of request would end up in the security department (where presumably the base level of suspicion is much higher), but nope. Took them six tries to reach a phone rep that would do it. Again, you'd think that multiple consecutive calls and getting denied would cause all future calls to automatically end up in the security department, but nope.

The head security guy at USAA and I had a talk where he explained in some detail how it all went down. He was refreshingly honest, and they didn't balk at getting our funds restored, but still -- humans are often the weakest link when they can defeat all of your security precautions. Probably the bank shouldn't give phone reps that much authority, and always require a dedicated security team response for such unusual situations.

[alwayslikethis]

Is email worse? Email for the most part does not require you to enter into an agreement with a predatory or monopolistic phone company, and there are services to generate single use emails that you can segregate between services.

[claytongulick]

I prefer SMS for 2FA because some authenticator apps get tied to a device.

I'm worried about losing my phone and being locked out.

With SMS, I can show my ID to the Verizon rep, get a new phone, and I'm good to go.

[tester457]

Only downside is the verizon rep giving your sim to someone who deepfaked your voice.

[piperswe]

Or the T-Mobile rep doing the same for someone who asked nicely with whatever voice and knew a couple relatively-easy-to-find details about you

[jjav]

> With SMS, I can show my ID to the Verizon rep, get a new phone, and I'm good to go.

Which means that anyone else who can fake an ID is good to go with that verizon rep. Or the rep themselves.

I will always avoid connecting any account to SMS if at all possible, it's the worst of all options.

TOTP is the best, as it is an open standard and doesn't tie you to any device nor any vendor.

> I prefer SMS for 2FA because some authenticator apps get tied to a device.

No need! Just save the TOTP seed in a safe place such as a computer under your control (i.e. not a phone) or even a piece of paper in a safe.

[LexGray]

At least for the Apple ecosystem 2FA is built into the iCloud Keychain so you can access it from multiple devices. While there are security implications, in general it is a good trade off that the Safari or apps will only offer to auto-fill on the matching site. For the general population it is a far nicer, safer, and faster solution than waiting for the matching SMS code to login.

The biggest downside is if the site isn't set up correctly it is a long trek into Settings to get the code and it makes the site seem less trustworthy.

[Arch-TK]

Obviously custom non-TOTP authenticators are dumb and not much better than SMS 2FA. I was mainly asking why anyone would opt for SMS (or a custom authenticator app) over just a TOTP authenticator.

[moremetadata]

2FA works well with the geolocation service SS7 [1,2], so when your text message and OTP code arrives, the firm could also be using SS7 to get your location.

[1] https://en.wikipedia.org/wiki/Signalling_System_No._7

[2] https://web.archive.org/web/20201219144441/https://www.thebu...