The problem is purely with how some companies are applying SMS as an auth factor. In cases where SMS us being used as a recovery factor, it should not be allow for immediate recovery. Instead the user should be notified via other channels (email, phone notifications) about the recovery attempt, be given the opportunity to reject it, and for the recovery to only succeed if it is not denied after e.g. 3 days.
Something better would be great. She's probably an extreme example, but I think we techy people tend to have a warped view of how comfortable "normal people" are with effective password management.
https://support.google.com/accounts/answer/6361026
I.e. use smartphone prompts as the first factor (without causing password resets), while the password is just a backup when the phone is not available.
I also do that everywhere. As a matter of principle, I have decided to not remember any passwords in my life. I call it "login by email".
Turned out that the text box for entering the new password allowed a different number of characters than the one for logging in.
Same, especially since I don't have a smartphone.
Often times I'll go a week without looking at my phone and by then it has lost its charge so if an app requires a OTP to do something I often need to wait a while before it's charged enough to receive a text.
I do have a Google Voice number but I've mistakenly used my real number for a few services that frequently require SMS confirmations.
No. Send me an email, let me upload my ID, anything but SMS. SMS is completely insecure. Not only can it be passively sniffed along the way, not only can malicious actors intercept it without access, not only can pretty much any employee at my telco access it, not only can pretty much any employee at my telco get tricked into intercepting it, but by default (and therefore for the vast majority of users), it'll show up while the phone is locked!
If I claim to have forgotten my password, the first idea it has is that I should prove I still have my Security Key
Then it suggests it could send codes to my GMail (which might actually be useful if I have another device signed into that) or to another email address it knows about (it deliberately redacts part of each address in case I am not me)
Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years, 'pass' means I keep a complete git history of Google passwords but I am reluctant to mess with this
Then it says too bad, it cannot authenticate me.
I can't say what it does currently but it used to say something along the lines of "you haven't used that password in a while. try something else."
(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)
When I confirm the phone number, it sends a 6 digit SMS code prefixed with G-, like G-123456 The input box on page has already a read only G- text, & then a box for 6 digit code. After I confirm code from SMS, it gives the option to reset password.
Most of the forgot password ways to reset password is Tap on other Device prompt OR get a code from Google App.
Sample Google SMS to reset code with fictional number.
```G-007007 is your Google verification code.```
After I removed the phone number, now if i click Other Ways enough times, it simply says, give us the information about last time logged, creation date, some address I email frequently, & some other stuff, & sats it will take few days for them to get back to me.
and I really don't call them second factor, that conflates the whole issue of where they are stored, how they are synced and used. people should be able to recover access to their one time passcode seed and there is little excuse for this.
While if I lose my SIM card, I'll walk to one of my operator's shops (there's probably one within 1km), show them my ID, and they'll replace the SIM. It's the only digital identifier that I could bootstrap from if I lost access to everything in one go.
