We all here live in a tech bubble. None of my friends and family have a 2FA app, or know what one is. They understand SMS, and it's better than no 2FA at all.
At worst it's no worse than SMS, but at best it's at least secure in transport and effectively free.
The downside to email is primarily that data is not a roaming perk for many. But if it's too access an app then a reasonable assumption of internet access even if not on the mobile is valid.
The other two downsides are: Some people may chose not to have their email account on the phone. Personally I don't want to carry around access to my main email at all times (the same goes for access to my main bank account, BTW.)
Also, email delivery sometimes takes a very long time, it can be minutes, if you rely on email forwarding to protect your main email address.
For literally years Google Authenticator had no means to move between phones. Of course people who were told to use it decided never to use OTP apps again after getting screwed.
Yubikeys (and google's keys) have had issues where the keys were extractable and needed to be replaced.
and so on.
SMS has just worked. Yes, it has reliability issues, but it's almost like people can't model even the most basic ways that the non-SMS tech is basically terrible. Even Apple doesn't work well because of the broadcast behavior of the confirmations.
I don't know about Android but Apple users can literally start adopting TOTP without changing a single thing.
Providers should simply add instructions telling people that if they have an Apple device they can just go to the keychain and add the code displayed on the screen or use the QR with the camera
buro9|2 years ago
At worst it's no worse than SMS, but at best it's at least secure in transport and effectively free.
The downside to email is primarily that data is not a roaming perk for many. But if it's too access an app then a reasonable assumption of internet access even if not on the mobile is valid.
airtag|2 years ago
Also, email delivery sometimes takes a very long time, it can be minutes, if you rely on email forwarding to protect your main email address.
Auth apps are better for 2FA, at least for me.
weird-eye-issue|2 years ago
foobiekr|2 years ago
For literally years Google Authenticator had no means to move between phones. Of course people who were told to use it decided never to use OTP apps again after getting screwed.
Yubikeys (and google's keys) have had issues where the keys were extractable and needed to be replaced.
and so on.
SMS has just worked. Yes, it has reliability issues, but it's almost like people can't model even the most basic ways that the non-SMS tech is basically terrible. Even Apple doesn't work well because of the broadcast behavior of the confirmations.
Nextgrid|2 years ago
barkerja|2 years ago
Knee_Pain|2 years ago
I don't know about Android but Apple users can literally start adopting TOTP without changing a single thing.
Providers should simply add instructions telling people that if they have an Apple device they can just go to the keychain and add the code displayed on the screen or use the QR with the camera
pjmlp|2 years ago