Other people have answered better, so I’m only going to take on the elevator speech of personal security concepts:
1. There is no such thing as perfect security.
2. There is such a thing as an appropriate depth of defense.
3. For general consumer protection, dedicated authentication > sms, BUT,
4. SMS has less overhead and more portability.
The days of being reasonably secure without active effort at self-educating are ending (truly, already gone)… kind of like an economically transmitted disease, Privacanemia©.
They’re trying to protect against very basic attacks. SMS 2FA is totally insecure, but unless it’s a targeted attack against something high value (think a Bitcoin exchange) the attacker will just not bother.
The main thing companies deal with is password reuse. Someone uses the same password everywhere, one site gets hacked, hackers now know that John at example com likes to use qwerty123 as their password, so they try logging into every service they know with that email/password combo. SMS is good enough to stop that.
At the same time it’s easy and companies can force it on people if they have their phone number, even without explicitly setting it up.
And they can outsource recovery to phone companies. Lost your phone? Well go get a new sim card with the same number and don’t bother our understaffed support…
The assumption is that if they’re at the point whether intercepting your particular text messages, you probably have bigger problems.
Really what it supposed to prevent against is random opportunistic attacks.
Someone guesses your Amazon password and now they can buy loads of stuff on your account. Two factor prevents this so that even if they guess your password they can’t gain access.
Latest Answers