|
|
Nobody knows how to do a failure analysis. I used to work in r&d, now that I’m building websites and mobile apps the culture doesn’t care. Pointing out obvious design limitations will, more often that not, make me the asshole. Not even trying to delay ship or get future rework scheduled, just having it documented is too much. Out of sight out of mind.
|
|
 |
|
It's not that people don't know it's a SPOF. The issue is that if you fail in a way that is common, nobody blames you. Cell phone 2FA is so ubiquitous that when it doesn't work clients wonder if they're the one fucking up. We had a massive internet outage in Canada recently and nobody blamed individual shops for not being able to take credit cards, they blamed the phone company. If you roll your own thing, even if it's objectively better, you're painting a target on your back. Now when your new thing fails it's your fault. There's also something to be said for how modern financial capitalism has squeezed redundancy out of everything. Supply chains are just-in-time, businesses rely on a million vendors for everything, if a single link in the chain fails it usually has a huge blast radius because of broad consolidation in these upstream suppliers. Basically there are a lot of small businesses that depend on like 5 large companies (think Sysco, telecoms, etc) and if those large companies fail every small company fails in the same way, so there's no incentive to derisk (because your competitors will all also be failing in the same way).
|
|
|
|
|
> Pointing out obvious design limitations will, more often that not, make me the asshole. Being an "asshole" isn't always a bad thing, assuming you mean "frowned upon for providing dissent along lines of unhappy, but factual, technical realities which are applicable in the current context". If this is the new definition of asshole, then I am the king of assholes.
|
|
|
|
It's not that they don't know how to. It's that there's an economic incentive to not care. So they don't.
|
|
|
|
Your choice of banks. I still have my bank's physical code-slip and can sign in using it just fine. My fiance's bank provided her with a small, calculator-looking battery-powered code device.
|
|
|
|
I always have a backup Android device setup as per my standard operating environment for this very reason. I'm actually due to setup another one as my previous backup went to my daughter for her birthday recently (but it still has my SOE hidden on it). But also, I don't use my phone for banking because I still don't trust mobile ecosystems. I use a dedicated VM that requires a decryption password to boot up. But yeah, banks are pushing for app usage rather than web interface, which is ironic given that my bank still only has SMS 2FA, not token-based. So why would I trust their app to be anywhere near secure in an insecure ecosystem if they can't even support proper multi-factor authentication that's been standard for, what, 5 years already?
|
|
|
|
This is a big problem for me as a traveller. If I travel long distance and I lose my phone, I lose access to both my personal and business bank. I once dropped my phone in a lake (I'm clumsy) and was locked out of most things for a few weeks. I prefer TOTP for most things. Keepass supports them across platforms, but Aegis has a better experience on mobiles.
|
|
|
|
Before smartphone, if you lose your passport everything goes wrong as well. (and noticing your phone is missing and finding it back is way easier than passport)
|
|
|
|
Everything? The only thing that goes wrong is being unable to travel internationally, but I think consulates often have a process for issuing emergency documents for even that case?
|
|
|
|
The eSim's are available these days so you don't have to wait for new SIM to arrive... if your provider & phone supports this feature.
|
|
|
|
Don't eSIMs have an even worse failure mode? If the phone itself dies then there's no SIM for you to take out and put into a new phone immediately right? As I understand it you have to first find another phone (with a working line!) to call your provider with, hope that it's within their business hours, and wait on hold for who knows how long, until you finally get it set up? Because of course you don't have anything urgent you need to take care of in the meantime while you wait for your carrier to give you back the keys to your digital life right?
|
|
|
|
Phone companies don't let you apply for replacement esim through a website?
|
|
|
|
I don't have the same view, in my mind you have created a single point of failure for _yourself_. I use Authy for MFA, which comes with a desktop app. Phones dead / missing? No problem, I can get OTP's from my laptop. What about text messages? Google voice. Which of course has a desktop interface. I've been doing this for years. It's nice not to have to rely on a watch, or phone entirely - although they do make my life easier.
|
|
|
|
Sure, blame the user, that is the mature response whenever someone is pointing out that modern ID security is a topple tower. Whatever technical solutions can be made don't really matter unless normal people can and do use them correctly. In any case, simply setting up another non-phone computer to do the job of the smartphone doesn't change the fundamental issue, it can still break, or get stolen, or some account can get closed for spurious reasons.
|
|
|
|
>"Sure, blame the user, that is the mature response..." We're all here to make our own decisions. We're all here to seek enlightenment. I've made it very clear that the decisions that I have made have placed me where I don't have the same issues as OP. I'm enlightening OP, and everyone who reads these comments, I'm not "blaming" anyone.
|
|
|
|
Especially when the user is a senior or a minor, blaming the user is not really the solution.
|
|
|
|
The issue is that some services insist on using their own app as a second factor. You can't choose to use a superior U2F YubiKey, for example. You are also not allowed to have their shitty app installed on multiple phones at the same time. If you lose your phone, you need to call them up to reset this. To name and shame: BNP Paribas, one of the biggest banks in France.
|
|
|
|
> you need to call them up to reset this My bank sent me a super key (some colorful QR code) to setup new 2FA devices, which I need to securely store somewhere.
|
|
|
|
It's interesting that a super key even exists. Normally the enrolment QR codes are one time use only.
|
|
|
|
>Google Voice Anecdotally, my bank (Wells Fargo) will not accept VOIP numbers for 2FA.
|
|
|
|
Yup. Chase does the same thing. They blackhole SMS to Google voice.
|
|
|
|
Yet another push to get a better bank, in addition to all their ridiculous fees. Ally blackholes Gvoice (messages just disappear), but gives you an email option to login. When calling customer service, they can do the challenge with a phone call rather than SMS. Capital One, Discover, and Alliant all seem to accept Gvoice just fine. There of course is a major problem that Gvoice seems to be special, in that many places will accept Gvoice but not standards-based VOIP competitors. I even had a problem with someone on "Comcast mobile" not being able to text a Voip.ms number of mine.
|
|
|
|
Probably Comcast Voice. Comcast/Xfinity Mobile is a Verizon MVNO
|
|
|
|
Someone , somewhere decided: your digital life is going to be tracked and recorded to 3rd party cloud. To accomplish that you were given central device ( smartphone ) on which you ought to do everything related to your digital life. So how do you remedy this?
|
|
|
|
>i can't log in to any of my banks without my phone. Don't know about banks in Europe but in USA, I can log into Bank Of America and JP Morgan Chase without any phone authentication. If I reformat my harddrive or buy a new computer and the bank doesn't recognize the web browser because no previous cookie has been found, the website will generate a one-time code and send it to my email address. I then enter that security code and the web browser is "recognized" without further issue. The smartphone was not needed in any step. EDIT ADD: I did open my bank accounts before 2007 and thus before the smartphone era. Because of that, there may be a possibility that my logins are "grandfathered in" to not require any smartphone app authentication. It's possible that creating new accounts today with BofA/Chase might require smartphones but somebody else would have to confirm/deny that.
|
|
|
|
My Swedish bank offers two methods. One is the nationwide e-identification system called BankID - used for loads of commerce/governmental/identification/authentication in Sweden - which requires Internet access and works on computers as well as smartphones. The other method uses a discrete HOTP-type device (with a personalized login card) which accepts a challenge code from the bank login page and outputs a digested authentication response. As far as I know, all major banks in Sweden offer both or at least one of these two methods. In the past a lot of banks here used OTP scratch cards, and would automatically send you a new one in the mail when you used one of the 10 last codes or so on the card.
|
|
|
|
In Italy it's a disaster. You need the phone /and/ their specific app, for mostly everything. From burgers, to banks and everything in between...
|
|
|
|
Similar experience in the US with the banks I’ve used. I can simply use the PC without involving my phone. Also if all else fails I can go in to the bank and take care of things.
|
|
|
|
A bank in Finland: they try to push their authenticator which doesn't work on my phone (de-googleized android and too old),but they have retained the option of using an OTP code list + sms, previously it was just OTP code list, but due to some silly directives they added sms. Authenticating with bank OTP also work for government and other stuff.
(Common here as there is no state authentication system other than some failed
id cards afaik.)
|
|
|
|
In Europe we have it in few countries. In my case - You enter your unique ID (6 numbers), then I’ve to type 4-number PIN on my phone. There’s also verification-number shown on both sides, to compare authenticity . When approving payments, it also shows details and requires longer PIN code. Much easier than earlier versions. And authentication provider can be used at Insurancy, e-government, e-signing and other services.
|
|
|
|
I can log into my bank without my phone in Denmark, but they are pretty much getting rid of that capability. Supposedly more 'secure'
|
|
|
|
That's code for 'cheaper'. Banks in the Netherlands are constantly trying to push all their customers to their apps, some (like ING) are actively trying to get rid of their alternative (but keep getting somewhat forced to offer it), and some (like BUNQ and KNAB) are 'smartphone only' from the start. Cryptographically, the idea of a discrete piece of hardware that uses the chip in your debit card to generate secure responses is fairly sound. And if smartphones didn't exist, it would be an unquestioned piece of technology that might even be commodified to the point that any such device could be used by all banks in the country. But smartphones exist, and having the customer loan the banks their hardware (which is often replaced within five years, so free updates too!) is quite attractive. No more hardware to support!
|
|
|
|
Go through the whole list and figure out which of these services really requires your phone, and which you have set up on your phone because that seemed the easiest path. Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)
|
|
|
|
This is the best way to go about this (the first line, the second line is rather variable). Phones didn't suddenly become a single point of failure, it's mostly middle-management combined with checkbox-security that ends up with SMS, TOTP and push-based confirmation factors. It's not the best way, but the easiest way to set things up. To make matters worse, TOTP is easy to copy for 'backup' purposes, so it's really not all that good (but still orders of magnitude more secure than SMS), but people are now actively encouraged to use multi-device TOTP like authy which practically invalidates it as a separate factor. There are of course practical implications as well. Giving everyone a Yubikey is problematic due to cost, same with smartcards and readers at every workstation (the card isn't the problem, replacing everything with readers and changing the authentication system to accept smartcards is). RSA SecureID is expensive too, and essentially just TOTP. You could only use FIDO-enabled devices like the ones with secure enclaves, but that has the same problem as smartcards. One thing that happens a lot around here is people carrying two phones, which doesn't solve anything but does shift the work/blame/cost on the company because everything will have to be done on 'their' device. This is a bit impractical because now you're constantly walking around with two phones, or have to manage which phone you happen to have on you. On top of everything else: all other second factors can be lost too, that is by design because it is supposed to be 'something you have'.
|
|
|
|
Yeah, if my employer wants me to use a smartphone app, they better cough up a smartphone for me to use. I'm not installing anything work-related on my private one, because I am in no position to guarantee that I won't break it or lose it. I've had pushback from the employer about this a few times, but in the end, there's nothing they can do.
|
|
|
|
My workplace's solution was to simply turn off 2FA for my account
|
|
|
|
Depends on the security requirements and terms of employment. Where I work now, you’d get a hard token or work phone if you’re deemed as requiring a phone. In the previous job, you were sent the form for 24x7 building access and were free to drive into work within the on-call response period. You were also reimbursed for your cell phone, that was the bronze handcuff.
|
|
|
|
Under current case law in the US, my understanding is that public ("operational realities" and reasonable suspicion tests) and private employers (fewer tests) have rights to audit any information on employer-compensated devices they wish (and have access to). I only use a work phone for work business. If my work requires me to use a phone, I require a work phone. Carrying two phones is a small price to pay to avoid worrying about an overzealous employer's IT staff. https://en.m.wikipedia.org/wiki/City_of_Ontario_v._Quon https://en.m.wikipedia.org/wiki/O%27Connor_v._Ortega
|
|
|
| > Tell your workplace you're about to switch from carrying a phone to a landline
In my country we still respect people who use dumbphones, because a religious minority eschews the smartphone. I'm very grateful for this, I tell my bank and other entities that I have to deal with that I have a dumbphone and all local entities have a path for accommodating this.
|
|
|
|
Good 2 factor auth systems will provide the option to be called on the number on your account.
|
|
|
|
|
Why should they have a landline fallback?
|
|
|
|
Because in Operations you need to cover all the scenarios, regardless of what the Developers think is the “only way” to do something.
|
|
|
|
So let's say you change phone numbers and FORGET to change one of the important websites that use that number for authentication? Or you change phones, wiping the old one before selling it to your friend and setting up the new one from scratch? Some websites are terrible/impossible at letting you recover your account when you've lost access to the phone number or the exact instance of the phone used for authentication.
|
|
|
|
Because using phone numbers to decide if human or bot is cheap, easy, and effective. Politically, there is no will for a national identity verification type service as infrastructure. And this way, all the work gets outsourced to ATT/Verizon/T-Mobile, and politicians get to say “it is not our fault” and telecoms get to say “it is not our job”.
|
|
|
|
And scamming yourself to another persons phone number to entirely take over their digital life is also cheap, easy and effective.
|
|
|
|
And that is a problem for a sufficiently small population that it is not yet a political priority. Crazy, since the federal government already does passports, and the infrastructure is basically in place with USPS offices.
|
|
|
|
ID is an issue that both extremes of the political system are against. Super conservative types are worried about mark of the beast, etc. Super progressive types are worried about folks on the margins of society being able to get ID.
|
|
|
|
You don't need a smartphone to have and use a phone number. I suspect the OP is about smartphone app authentication.
|
|
|
|
Oh, yes, I think I misread. In that case, I guess the spam/bot reduction efforts are outsourced to Apple and Google’s App Store and mobile OSs.
|
|
|
|
The lack of political will you speak of is better seen as a reaction to the deeper problem that there is no political will for protections that would go against commercial desires. Social security numbers were created solely to facilitate social security but had no legal protections enforcing this, and thus are now being widely abused by private companies. The same with driver's license numbers. Without a US GDPR that gives me the right to delete my permanent records from corporate surveillance databases, I am dead set against government mandates that would create even more vulnerabilities for unaccountable surveillance companies to exploit.
|
|
|
|
Only banks do that. All other services accept TOTP (which you can have on multiple devices) or YubiKeys/webauthn/U2F (where you can add multiple hardware keys). And even here, my bank accepts two (or more) devices with an active instance of their app. So the solution to this spof is the same as always: redundancy. You need a second phone. Your old one is probably good enough.
|
|
|
|
I've never seen a bank accepting more than a single device with an active instance of their app.. I would be over the moon if they did but they don't. So, last time I broke my phone, it took quite a while to get access to my bank accounts again.
|
|
|
|
My bank (Polish mBank) even have a section in the webUI to manage these devices along with other access channels.
|
|
|
|
Probably because I've heard the statement: "Everyone has a smartphone these days, so..." for the description of every app you describe. It makes some sense: single purpose devices for authentication tend to be set aside and misplaced. So it's the union of ubiquity and ease of use.
|
|
|
|
Next time you upgrade, keep the old phone. Have both phones set up so they can do mfa. If you are doing OTP, make sure to use an app that allows you to backup/export. AndOTP is very good if you're an Android guy.
|
|
|
|
Not true at all. If they are able to log into your e-mail, then things will start to fall apart. But just getting your phone will not allow anyone to break into your MFA secured accounts. Your phone is something you own, but they still need something you know (i.e. your password). I feel like you might get a more nuanced perspective by looking into security related topics, specifically around authentication.
|
|
|
|
I'd bet almost everyone is logged into email on their phone. If you can trigger a password reset over email, and can access the 2FA (SMS or TOTP app), you can get into just about anything.
|
|
|
|
The "nuanced perspective" here is that regular people don't use MFA authenticator apps. They use SMS 2FA, if anything. Once you accept that, you're right back to "smartphones as a SPOF."
|
|
|
|
Phones are encrypted and protected by a lock screen, or am I being naive?
|
|
|
|
Because it is indeed the thing every one carries almost all the time.
Can you do these things without your passport/ID/driving license before smartphone appears?
|
|
|
|
I have two smartphones for 2FA, one never leaves the house. But it would still losing one while traveling.
|
|
|
|
I use Google Voice, and the number that I use for PINs I can login to with just a password. That way I can always access text messages even if my phone is gone. You need it when traveling and your shit gets jacked. I haven't tried it but an Android emulator should allow you to use apps without a smartphone.
|
|
|
|
|
If the banking software lets you log in via an Android emulator I'd say it's a pretty badly written piece of banking software. I understand why HN readers would want to maybe use an emulator to avoid having a phone but really what other use case is there than that or a scammer trying to spoof you.
|
|
|
|
Is running an app inside an Android Emulator (i.e. the ones that come with Android Studio) something the app can detect then ?
|
|
|
|
>I can login to with just a password If you can, so can anyone. Although using a unique/rare password (globally, not just among your accounts) is probably enough to make this a non-issue.
|
|
|
|
Some apps will. But most "secure" apps would refuse to run on the virtual device.
|
|
|
|
It’s a trade-off. It’s very convenient for me to pay with ApplePay. But there’s a risk I won’t be able to pay for groceries if my iPhone is out of juice.
|
|
|
|
All my OTPs are in Bitwarden and FreeOTP. The only thing I currently need my phone for is Google's new device login and even that goes to my tablet too.
|
|
|
|
Can you use Bitwarden for TOTP? I already use it for my passwords but for TOTP I have multiple apps and I hate it
|
|
|
|
|
Yes. You have to pay for the premium version for TOTP, but it's only $10/YEAR.
|
|
|
|
Yes. There’s an “Authenticator Key (TOTP)” field. Been there for several years. It also supports SteamGuard TOTP.
|
|
|
|
|
This has been my point for the last 5 or 10 years. That's why I have a "home phone" with banking apps, 2FA and important stuff installed. It has no SIM card and never leaves home. For everything else I have my "street phone".
|
|
|
|
Many banking apps require a phone number/SIM card to operate, but assuming you can copy codes, etc, what happens when you want to use those apps out and about (or abroad) if the phone never leaves home?
|
|
|
|
|
Yes, but then again, I'm looking at seven older smartphones —right now— on my desk, and only one is even capable of running /all/ those apps. I had to buy it just because of that. 'cause even my Huawei P-Smart 2021 (currently in my pocket and not among the others on my desk) can't run some of those pesky apps.
|
|
|
|
|
Then change the bank you deal with. At least in EU, this 2FA was due to PSD. Please also note that any changes will impact some people. How often do you lose your smartphone? If every month then it is sad. You need to find a bank that still uses cheques etc. No point in whinging. If something works for 90 % people then get used to it. For example, I did not like joining facebook for my children's school nor whatsapp groups but did it as most of them did it.
|
|
|
|
Part of the point he's trying to make is that eventually there probably won't be a bank that isn't like this.
|
|
|
|
Are you saying all of these systems enforce SMS-based 2FA rather than the sane choice of TOTP? That's unwise and unfortunate.
|
|
|
|
Many enforce 2FA through their own app, so TOTP is not an option.
|
|
|
|
It's the same plague, whether SMS or their own homebaked authentication scheme.
|
|
|
|
No, they enforce through their own crappy app which only works on few platforms. To make things worse, if I install the app for my swiss bank on a different phone, I need to wait for snail mail to get the activation code.
|
|
|
|
Where do you live? I don’t have any services that require my phone. Many have two-factor auth, but I just save the keys in my password manager which I can access from any of my devices.
|
|
|
|
But that’s kinda convinient [1]. The problem is, that there’s no real proper fallback/backup-plan. [1] not only it’s convinient, it’s also similar to what all the future predictions regarding technology said. Some small gadget or bracelet connecting over air and doing stuff.
|
|
|
|
There is a backup plan. For corporate systems, contact the IT department. For banking, call the bank or go to a branch. TOTP-based schemes can be backed up and used on multiple devices. So on and so forth. It just so happens that most of these backup plans are incredibly inconvenient and might take a long time and effort to get through them.
|
|
|
|
I hate it. They have been phasing out web for years in the EU. Banks mostly but these days employers too. Getting a separate device, or multiple, seems like the least horrible options to me. Turns out everyone wants a piece of my data I in the name of convenience. Only, it's their convenience, not mine.
|
|
|
|
"They have been phasing out web for years in the EU." This is such a perfect summary of the situation; thank you for formulating it so clearly. To me is insane that we are switching to a perfectly open and interoperable standard to the walled gardens of iOS and Androids.
|
|
|
|
This is why I ordered both GNU/Linux phones, Librem 5 and Pinephone, to support the alternative. Of course, I have problems with the apps now, and I refuse to install them as much as possible. Every time someone tells me about an app, I'm asking whether they have an app for my Linux smartphone.
|
|
|
|
> i can't log in to any of my banks without my phone Glad it's not only my problem. Force banks to support TOTP. They will not do it voluntarily, they have too many "experts" selling dedicated app to the managements because "securitay".
|
|
|
|
It’s a physical device with access control that is unique to a single human, three nines
|
|
|
|
Indeed it's incredibly stupid development. Fuck smartphones, really. I don't own one and I feel happy overall, but life is complicated because nowadays some sort of stupid app is required (most of the time, for no good reason) and dealing with those requirements always cost so much thinking. I don't want a micro-computer in my pocket, I stay at the computer all day anyway, a better one. Why can't I do with a real computer what it is possible to be done with a phone? A smartphone is just a tracking device, and it is terrible for privacy - but great for advertisers and similar industries. Otherwise, a computer should be able to do everything a smartphone does.
|
|
|
|
Amen to that. Plus, half of the 2fa apps from the various services (most of which just want their very own app) work only on recent phones and most won't even install without google-services. And if you lose your phone, you're toast! So, it's not enough to have one smartphone always at hand... You must have a backup phone too! ... and both must be fairly new... and they must both bear the all-dreaded google-battery-eating-spyware...
|
|
|
|
Absolutely! I lost my iPhone 7+ recently and had no idea how attached I was to that phone. Being someone conscious of infosec I had iCloud turned off and what I thought were minimal apps installed. That said, and with the fingerprint reader/my 18 char PW, I'm pretty sure no one besides a nation state/NSO could get into my phone. So losing it wasn't really a big deal except for the loss of contacts (had most on a old phone) and being locked out of my email (thanks 2FA). Unlike you, I haven't gone fully phone free. But I do now have a free Android phone that has nothing on it that I can be locked out of. No medical, no banking, nothing personal except for email. And if I felt I could get away with it, I'd have no phone at all.
|
|
|
|
Me too in my ideal world I wouldn't have a phone, but now I need for transport, food, financial services, nearly everything.
|
|
|
|
I don't know where you live, but in Europe you can still live without a smartphone. But I live in a city with good public transport (no need of ubers); banks still works without smartphone (but you need a burner phone for SMS, unfortunately), etc.
|
|
|
|
"Europe" is big and diverse. So while there exists places in "Europe" where that is true, in many other parts of "Europe" it is getting harder and harder.
|
|
|
|
Oh, I don't know about the rest of Europe, but here in Italy you either have to deal with it, or restrict yourself oh, so very much. (to the very few services that still work without a phone).
Here most everything, even state portals such as, medicare, tax, national motorists services, pensions services, etc. are nigh impossible to access without a phone. And it's so sad.
|
|
|
|
if only that was a way to prove who you are through some kind of system oh I don’t know like private/ public key infrastructure that works well in crypto solutions are clear
|
|
|
|
Why did gasoline become a single point of failure in automobiles? Why did the strings on my guitar become a single point of failure? Creating redundancy for every dependency is not always practical or economical.
|
|
|
|
Terrible comparison. If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going. It's not gatekeeping anything, it's just a convenience. Strings on your guitar can be readily replaced, and again, it's not gatekeeping you from your finances or your employment (unless you're a musician, but in this case I'm sure you'll have spare strings and instruments so that if one breaks you can carry on without much thought).
|
|
|
|
> If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going. Not all of us live in an area where those options are available. But I can transport your arguments back to the OP post. You can still call your bank from someone else's phone. You can still walk into a bank branch or use an ATM. Using their website is just a convenience. If you lose your phone you can just get a new one and carry on without thought (replace it).
|
|
|
|
If you don't have you banks app, you can still go to the actual bank and tell them to do your transactions.
|
|
|
|
I hate to put this to you, but the content of your post sounds like a whinge about the need to install an app on smartphone instead of the device itself being the single point of failure; whereas the title suggests a genuine question about security architecture. To address the content of your post - ask for a different option. Be it end up carrying a seperate smartphone, an old-school token device, a Yubikey, or rock up to your bank's local branch showing your IDs. Your choice. I couldn't find evidence that smartphone is a single point of failure because the user has chosen convenience as a priority. Also smartphones are not the smallest when compared to other options such as token device and Yubikey listed above. To address your question in the title, and leaning towards the intention of smartphone being used as as security device - manufacturing software is cheaper and more controllable than hardware in terms of update delivery; also because smartphone itself already has anti-theft features such as passcode and biometrics built in. UX wise users prefer carrying something they already are carrying, instead of multiple keys/devices that looked alike and easily lost.
|
|
|
|
Dude, what? How many services require SMS 2FA again? Your phone is indeed a SPOF. If you lose your phone, you're fucked in a variety of scenarios. To say nothing of services that require a custom app and accept nothing else.
|
|
|
|
Yep! I have all of the things above (yubikeys, many PCs, a couple voip numbers with SMS, ability to emulate Android on PC, a host of old smarphones...)
still, if I lose the one smartphone on which -that- custom app is installed, I'm hosed. And I can't even install the app on a second phone, because: ah, ha! Only one at a time! There is no installing two, Luke. Only one there will be.
(There you go... quotation inception.)
|
|
|
|
Thanks for addressing me as "Dude" and using the f-word! 1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone". 2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"
|
|
