[JaggedJax]

This happened to me with a major bank. They were using the same number for 2FA and some other types of texts. I got locked out of my account for a while because I had unsubscribed from their marketing texts. What an unbelievably dumb way to send 2FA codes.

[thebytefairy]

Had a similar thing happen to me, but for Facebook. Account got locked, to unlock I needed to verify identity via text. Never received the text because I had disabled getting text fb notifications, which apparently included account recovery. Managed to find this on some obscure thread to text some number to resubscribe and get it to work - no mechanism from fb, no alternate way to verify, no indication that this was the issue.

[grotorea]

I think something similar happened to me, but I used the phone's block and report feature. I assume it was the number of some SMS sending service that had both legitimate and spam clients.

[hypeatei]

Yet another reason why SMS 2FA should not be used. Shameful.

[zahlman]

It's used, as far as I can tell, because banks don't want to have to explain to millions of customers how to use anything else.

[reginald78]

Also because once they get that number under the guise of needing it for security they can use it for marketing texts. It's a win win!

[hypeatei]

It's perfectly fine if people want to use it, but at least provide the option for TOTP or hardware keys behind a big scary warning page or something.

[jpadkins]

What is a better 2FA channel?

[AndrejPanjkov]

an authentication app like google authenticator. there are others as well. https://en.wikipedia.org/wiki/Comparison_of_OTP_applications

No communication occurs to serve your 2fa code - it's a time based 2fa protocol.

[Onavo]

Passkeys or WebAuthn, TOTP based 2FA (regardless of whether it's hardware or software based) is vulnerable to phishing. Protocols like WebAuthn are tied to the domain and is a lot trickier to compromise (at least not without significant effort).

A lot of people here are complacent when it comes to phishing because they believe "I am a big overpaid technical person on Hackers News, I am not dumb enough to fall for suspicious links unlike those dumb unwashed masses" but as most security people know, the sort of mass phishing attempts your grandma receives are relatively low effort compared to actual targeted spear phishing. A dedicated phishing attempt won't have broken English, CSS styling issues, weird punycode etc. It would be practically indistinguishable from the real thing unless you were specifically looking for it.

[_whiteCaps_]

An authenticator app or hardware MFA device.

[lelandbatey]

TOTP (thing that generates the 6 numbers every 30 seconds) whether that's a dedicated device (secure but very annoying) or a TOTP app on your phone (what most people use).

[caseyohara]

Password managers like 1Password also support TOTP, it doesn't have to be an app on your phone.

[joveian]

I at least have a different user account that only does TOTP but it isn't really a second factor if it is on the same device (since the idea is to make getting access to the code significantly more difficult than just getting access to the password).

I like this simple TOTP code generator:

https://github.com/arachsys/totp

[pwenzel]

TTOP via password manager

[tmikus]

Ideally use a dedicated hardware key, but if you can’t just use a 2fa app

[weberer]

Any dedicated MFA app, such as Authy.

[AndrejPanjkov]

I just saw on https://en.wikipedia.org/wiki/Comparison_of_OTP_applications that Authy is discontinued as of March 2024?

[mixedump]

Authy desktop apps are discontinued, the mobile apps are up and running.