and the companies that know better should be fined and sanctioned, particular the ones that are demanding SMS based OTP so they can also add your phone number to their social graph
The problem is purely with how some companies are applying SMS as an auth factor. In cases where SMS us being used as a recovery factor, it should not be allow for immediate recovery. Instead the user should be notified via other channels (email, phone notifications) about the recovery attempt, be given the opportunity to reject it, and for the recovery to only succeed if it is not denied after e.g. 3 days.
Something better would be great. She's probably an extreme example, but I think we techy people tend to have a warped view of how comfortable "normal people" are with effective password management.
Same, especially since I don't have a smartphone.
Often times I'll go a week without looking at my phone and by then it has lost its charge so if an app requires a OTP to do something I often need to wait a while before it's charged enough to receive a text.
I do have a Google Voice number but I've mistakenly used my real number for a few services that frequently require SMS confirmations.
No. Send me an email, let me upload my ID, anything but SMS. SMS is completely insecure. Not only can it be passively sniffed along the way, not only can malicious actors intercept it without access, not only can pretty much any employee at my telco access it, not only can pretty much any employee at my telco get tricked into intercepting it, but by default (and therefore for the vast majority of users), it'll show up while the phone is locked!
If I claim to have forgotten my password, the first idea it has is that I should prove I still have my Security Key
Then it suggests it could send codes to my GMail (which might actually be useful if I have another device signed into that) or to another email address it knows about (it deliberately redacts part of each address in case I am not me)
Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years, 'pass' means I keep a complete git history of Google passwords but I am reluctant to mess with this
Then it says too bad, it cannot authenticate me.
(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)
and I really don't call them second factor, that conflates the whole issue of where they are stored, how they are synced and used. people should be able to recover access to their one time passcode seed and there is little excuse for this.
While if I lose my SIM card, I'll walk to one of my operator's shops (there's probably one within 1km), show them my ID, and they'll replace the SIM. It's the only digital identifier that I could bootstrap from if I lost access to everything in one go.
