[autoexec]

authenticator apps come with privacy concerns. Right now, Microsoft has no means to collect my location data, they don't have any access to my phone, including my phone's camera. The moment I install Microsoft authenticator that situation changes. No thanks.

[alwayslikethis]

SMS has even more privacy concerns. To be able to receive SMS, the network must know your location. You are also forced to use proprietary firmware for most radio components. SMS is also subject to attacks against the telecom, such as by tricking their staff into producing a new sim card with your number.

[autoexec]

> To be able to receive SMS, the network must know your location. You are also forced to use proprietary firmware for most radio components.

These are risks you have just by owning a cell phone, having an authenticator app doesn't change that.

> SMS is also subject to attacks against the telecom, such as by tricking their staff into producing a new sim card with your number.

This is absolutely a legitimate concern, and the lack of security in carrier practices in particular honestly makes me want to avoid 2FA entirely. Fortunately, I've never needed it for account recovery. I use a password manager so all accounts get unique logins and I'm savvy enough not to fall for your typical phishing scams which helps. There's no guarantees my luck will hold out though so I'll be looking into privacy preserving options for the most critical things or for cases where I'm not left with any choice.

[alwayslikethis]

TOTP does not require internet or a phone, even though it is commonly available as an phone app. It only requires an accurate system clock to work properly.

[kentonv]

Most sites that support authenticator apps support the TOTP standard that allows you to use any authenticator app. You don't have to install the app specific to the site, you can find a privacy-respecting one.

[autoexec]

If I can find a privacy respecting one that's a good thing! I worked a job that tried to force us to use Microsoft authenticator but we pushed back after looking at the privacy policy and so instead we ended up with perfectly nice key fobs. It's hard to beat that for privacy.