Approximately 50% of users delete an app when it requests an email (real statistic). I imagine another 25% will quit when you ask for 2FA. Make that an authenticated app and it’s probably 40%. It’s about user retention.

A good amount of high profile attacks have been successful by impersonating the targets phone number, and receiving the SMS for 2fa. I don’t know how it’s done.

I’m really curious to what different sites or apps that you use that require 2FA. I only have one bank account that uses 2FA and I use email instead of text. Are you using 2FA for sites not related to banking?

Part of this is the theory if one is compromised the other is less likely.

Think of this, a data breach exposed emails and passwords, they then know how to log in to that platform. A lot of people use a common password so that person could be more likely to get into that email with the same password.

If the 2FA is by another system, SMS, that would require the physical phone, much less likeky to intercept without more info.

2FA means you need to authenticate with two factors, generally something you know (your password) and something you have (ideally, an authenticator app, but in this case SMS). Generally speaking, 2FA is something you have to turn on in your account settings, and, as a hacker this isn’t something you would do unless you were trying to lock the true owner out of their account. At this point the theft has already happened and 2FA doesn’t even matter anymore. Such that you need to turn on 2FA, generally, that means you also are registering your second factor of authentication (phone number or authenticator app). Your phone is something you would have, and thusly receiving a text to a number you registered somewhat satisfies that requirement.

There are ways to intercept these messages as a malicious actor, but targeting an individual isn’t likely, especially if they already have 2FA turned on. It’s much more likely that they would attack a password storage provider like Lastpass to gain access to many more credentials they store. 2FA kicks in here because if in if they could decrypt the passwords they’ve stolen, they couldn’t also log in without your phone, which is simply something most hackers aren’t going to bother trying to steal, unless of course you are a notable person and targeting you would bear rewards making that additional risk possible. If you’re on reddit, you’re probably not one of those people.

Companies still use it as it is less technically challenging for them and for many users. I disable 2FA via SMS whenever I have a more secure option. Though as mentioned it is better than nothing.

The funny thing, many bank services have worse security options compared to a lot of other services like gaming (twitch, Xbox, etc), and social media (Reddit, Facebook).

Who cares? Even if they did your phone will have a pop up even on the lock screen that would show anyone with access to your phone what the 2fa code is.

Security always comes down to a compromise of usability. The more usable the less secure. The more secure the less usable. SMS is a good compromise because mostly everyone has a phone. Same reason some do the phone call authentication because then even a landline can be used.

Your statement “SMS is not encrypted” isn’t actually true. SMS is *mostly* encrypted. However… the message is encrypted in “hops”. The intermediate agents (Telecommunications Operators) decrypt the message, then re-encrypt it again when they pass it on.

The message between one mobile phone and another goes in four steps.

a) The message IS encrypted when it leaves your phone and travels as a radio wave to your telecommunications operator Telco A.

b) The Telco A decrypts the message when it arrives at their internal computer which handles messages — the SMSC (Short Message Service Centre).

c) The Telco A passes the message unencrypted over a private channel to the telecommunications operator Telco B which is the telco for the recipient.

d) Telco B passes the message encrypted over the radio waves.

In the case where the sender is a bank, then step (a) and (b) become…

(a/b) The bank sends the message to their telecommunications service provider Telco A over a channel which typically is encrypted via SSL.

The point of a text for 2FA is to check that you have the device; it doesn’t matter what the contents of the message are unless you think someone is going to real-time steal the code and somehow respond with a message that tricks the service. That’s some Impossible Mission shit.