[vigilans]

The most uninformed takes always come with a healthy dose of arrogance and vulgarity.

Every part of the industry that matters has been bitten by using phone numbers as a 2FA mechanism. It's why they're actually disappearing and are being phased out in favor of apps, OTP tokens, and email codes, depending on the amount of influence technical people wield at a given org.

[Dalewyn]

>in favor of apps, OTP tokens, and email codes

And all of them are some form of jank or inconvenience.

Look, most people (myself included) don't give a fucking fuck about security. Our time lost to the kabuki theater of security is worth more than the so-called "security" we gain, and that's assuming whatever is being secured is even worth securing.

A determined attacker will ignore all that and just undermine everything with social engineering against a useful customer support tech anyway.

Unless your solution is as simple as entering a password and hitting a button, which is the digital equivalent to taking out a key and unlocking your front door, it is not going to see widespread acceptance. Make your fucking security solutions convenient, not secure. kthxbai.

Even cars did away with keys because turning the ignition is an inconvenience compared to just pushing a button.

[tialaramex]

> Unless your solution is as simple as entering a password and hitting a button

What password?

I mentioned the NHS app I use in a different sub-thread, so let's try my (not very good, would not recommend but they offered decent credit balance interest) current account. I tap the app on my phone, I get a whirl of nonsense, and then:

"Verify that it's you" and I touch the fingerprint sensor on my Pixel 6.

And that's it. No passwords, no PINs, no SMS messages, no separate authenticator device

This is much more secure than real human passwords (it'll be an elliptic curve signed message, so similar to HTTPS) and much more convenient, and short of convincing me to literally send you my phone and my finger you can't trick me into giving you access.

[TeMPOraL]

What you say, plus the newer security schemes all have convenient side effects that end up fucking consumers over.

Consider, for example, banking apps: because 2FA via app being near-universal these days, even the web page doesn't let you use your bank account without installing the bank's app. And banks are, after MAFIAA, the biggest proponents of remote hardware attestation schemes. Thanks to that, we're reaching the point that phones that aren't locked down by Apple or Google are going to become useless. Mod/rooting scene already all but evaporated because of it - rooting your phone means fighting half the apps, including your bank, making the whole exercise not worth it.