|
|
|
|
|
|
by Boldened15
412 days ago
|
|
|
Don’t 2FA apps have the major downside that if you lose the specific mobile device you installed it on you’re SOL, unless you have backup codes that are too technical for most. SMS gets you more human support since you pay your carrier, I can walk into my nearest teleco branch with my ID if I lose my phone and change the SIM to another phone. So most of the time unless your SIM is hijacked it’s a good proxy for being actually you. Plus having to download another app adds friction to the signup process and most users aren’t going to bother, so for most it’s SMS 2FA or nothing. Since apps often want your phone number anyway for bot prevention, and users are used to verification codes, it’s not a big deal. Also a tail end of other issues with 2FA apps (and SMS 2FA predates the nice ones anyway); in other countries there are devices other than iOS/Android to suggest an authenticator app for, limited network speeds and device storage, etc. Heck, I know people in the U.S. with full device storage who can’t download new apps without deleting some stuff. If you’re a random app and not a tech company SMS 2FA is just going to be much easier to implement. |
|
|
If you don't want to lose access after losing your second factor, you don't want two factor authentication. Trying to make 2FA something it's not only muddies the waters and makes things annoyingly confusing.
I don't think "I know someone whose phone can't handle a 2MiB TOTP app" is a good reason not to offer real 2FA on a website. Sure, offer SMS codes for people who don't care much about security beyond ticking auditor boxes.