alt Hacker NewsThis is a really good point, "cell service will always be available" is a classic incorrect assumption that needs to be shattered. I do kinda wonder what the correct way forward is, I think it's silly that ISPs don't support this type of SMS over wifi but I have no clue why. Meanwhile TOTP apps are rightly pointed out to be too numerous with unclear trade offs, I'm surprised ios and android don't have native TOTP apps (afaik).
As an aside, I hate the nuance-less "SMS 2FA is insecure" line. It's the weakest 2FA form for sure, but it's still so much better than not having 2FA. Even if you support multiple options depending on your product it may very well make sense to stick with SMS as the default to reduce friction.
Replies
> I'm surprised ios and android don't have native TOTP apps (afaik).
They do.
Google's Authenticator is as close as it gets to a native Android app, and your secret keys are sync'ed in Google's cloud for a while now (it's a shame they waited so long).
Apple's Keychain has supported TOTP for ages too.
That said OTPs over RCS instead of SMS are a major improvement if you don't mind your phone number being used as an identifier.
I'm pretty sure they both do have TOTP but it's not well documented that it even exists, and it's difficult for regular users to use. In iOS it in the Passwords app (née Keychain) and in Android I think it's buried in the settings app of all places. People don't know it exists and don't know how to use it, and even if they did, unless you're already using it for password management, it's difficult to know how to find it. Instructions usually default to a single authenticator app, like Google Authenticator or Microsoft Authenticator, so people end up with multiple apps (Not to mention the garbage adware that always pops up in app store search). And half the time the instructions simply say "Your authenticator app," which doesn't help Joe Schmoe who has no clue where he saved that OTP.