alt Hacker NewsThe ONLY accounts I have that require SMS and offer no other 2FA are financial institutions. They already have more information on their customers than most other businesses I can think of. Heck, I WANT my bank to have my phone number so they can call me if there's ever a problem. I just want insecure SMS to stop being the only minor hurdle between a fraudster and my life savings.
Companies do SMS because their VP of security compliance demands 2FA and because it's easy and has mature existing third-party vendor support. No tinfoil hat needed for this one.
Replies
This has been my experience as well.
I implemented 2FA for my previous employer and we would have gladly skipped SMS 2FA if we could get away with it. It's more expensive for the company and the customer. And it sucks to implement because you have to integrate with a phone service. The whole phone system is unreliable or has unexpected problems (e.g. using specific words in a message can get your texts blocked). Problems with the SMS 2FA is a pain for customer service too.
No, I think he's mostly right but it is a little more complicated. Most services demand a cell number verification on account creation for user tracking and identification under the guise of security for you. The SMS 2FA setup flow just helps push the user into coughing it up and helps sell the security cover story. Theoretically this helps prevent abuse, but there's no reason they have to abuse the data themselves after getting it for that. Its just that they will. They'll even lie to your face that they only use the number for security purposes and then use it for advertising anyway.
https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...
https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...