[weird-eye-issue]

...

You would have to get access to their email and SMS to perform a password reset and get past 2FA. If you are saying you could do a SIM swap attack simply by having access to their email I think that is not that practical at all.

> To answer your question on whether or not people access other people's SMS accounts -- yes!

What? I never asked that? What are you even talking about?

[rkeene2]

It's really unclear to me why you think that email would be involved in any other capacity than 2FA in this scenario.

Are you imagining that email is used in some other additional way in the authentication process, such as account recovery ?

[weird-eye-issue]

You've never done a password reset? That goes to your email. If your 2FA is over email too then that isn't 2FA. Because you only need the email to take over an entire account

[rkeene2]

So I see the problem now, your model includes a hidden assumption that password resets go to email -- this is not always the case.