[exabrial]

> SMS is the only 2FA method that can be easily deployed at scale

No, no, no, no, NO. No it's not. And you have zero proof of this. Its done this way because its the lowest effort to give security theater.

[kgen]

What's the theater with sms 2fa? That is more secure than not having it enabled no?

[terribleperson]

Possibly less secure, considering the existence of sim-cloning crime rings. SMS 2-factor potentially gives a hostile actor a way to 'prove' that they're you.

[genevra]

What's the actual method that can be easily deployed at scale then?

[iamjackg]

I'd argue that there isn't one: you have to offer multiple choices. Auth through any TOTP app, Yubi key, pre-generated codes, mailing a physical code generator, etc.

[afiori]

Email + SMS + generic time-based OTP seems quite enough for imho