Multi-factor authentication doesn't need a cellular phone. I personally use TOTP codes and security keys whenever I can, as I am very weary of giving away my phone number (I want to believe this is why I rarely get spam calls or texts). There is an obvious downside to security keys (cannot be backed up or transfer secrets), but passkeys are slowly becoming a viable alternative, which gives you almost the same level of security as security keys implementing FIDO2. Major services like GitHub already allow passkey authentication. Both iOS and Android have supported passkeys for a while now, and so have all of the major browsers (Chrome, Firefox, Safari).
So overall, I think passkeys are a good alternative to SMS :)
Now try to explain that to a person in their 70s that are thrice removed from tech industry while they're trying to check their bank account balance.
I agree with you 100%, I wish we went for much secure way. Unfortunately UX friction and pre-established ideas will make it way harder to roll out to the general public.
The EU requires banks to use secure authentication methods and has done so by a directive more than a decade now. This includes one-time passwords and app based two-factor.
I do not see how the eldery in the US would need more explanations than in the EU.
I think 2fa card readers that use your bank card (like the one that goes in an ATM) to generate a code are easier to understand than receiving an SMS. Especially here in chip-and-pin land.
Honestly "plug the little black thing in here, rub the gold dot when the screen says" is better ux than typing numbers. Have you ever the heard stories where people aren't able to type in their code before it expires?
Before a very small amount of years ago, we couldn't check our bank account balances by logging onto the internets. We called or visited a bank teller in person. gasp!
If a person can't handle 2fa, do they really need to be using online services that are important enough to warrant using 2fa? I imagine the world will advance and this will become easier over time, but for now single player security across wires is complicated.
In mainland Europe, banks used 2FA devices with a little lcd display since at least the early 2000s.
Now they're going more phone based which feels like a step back to me (but more convenient of course... though I hate the kind that makes you film a colored qr code from your pc monitor: doesn't work in mobile browser since phone camera can't look at its own screen, and makes you look like photographing your pc screen)
In Denmark, we have a common login system called MitID (translated: MyID), which is used by all bank, insurance company, the governmental digital mail system (not email, but pdf's in a vault) and it still-alive now-commercial-only predecessor. I believe it is by law.
The system is 2FA with either your phone or a hardware dongle proving your identity.
It is strongly authenticating you as a person, that is precisely identified (but the services are only getting a token, but it can also validate your person-number - think SSN in US context).
It is quite harsh in device security, recently failing on beta versions of Android - on top of afaik always failing on rooted devices...
The phone version also requires you to scan a continuously changing qr-code twice to proceed, which is shown when you need to identify yourself (in an I-frame). This is to ensure you are "physically" present where you are being authenticated (i.e. to block of some phone scams).
Works pretty well and is reasonable secure, whilst still having some flaws..
In the future, I believe this system will work in some/all of the EU due to the coming eIDAS legislation...
Bastard bank charges me €20 for one of those LCD things. Luckily the battery lasts multiple years.
The device particularly saved me when my phone got dropped and all i could do was email the world.
Sms “auth” is doing nothing but piggybacking/hijacking the hard credit pull the carriers ran on you when you got your phone.
So something that indicates there’s a real person there paying a bill. Plenty of room for innovation here but my suspicion would be that it be a function of a credit bureau.
It already is the function of a credit bureau, and they're not doing a very good job.
AT&T required me to go to a retail store with government-issued ID and provide the last 4 digits of my SSN. I then had to answer some questions that were clearly provided by a credit bureau; all of them were some version of "which of these 5 addresses have you lived at before?"
This was concerning because I'd think that for most people, with a bit of digging, it's not that hard to get a list of previous addresses. But sim swapping should probably be at least as difficult as obtaining a replacement passport or drivers license.
Does sms auth not work with prepaid sim cards? I think the real benefit is that a sim card is basically a trusted computing device, but with a system in place at the carrier to give you back your number if you lose it. In effect, its a digital proof of identity. Since identity is fundamentally the job of the government, the real solution should be id cards with trusted computing chips in them. Though that will open up a can of worms with regards to privacy and government overreach.
Simple answer: implement a privacy law with teeth. It doesn't even need to be framed from scratch - the GDPR does a fantastic job at preempting most of the flaws that lobbyists would love to slip in.
Ideally consumers would have access to multiple 2FA methods that all vendors support standard, including SMS, app based authentication, RSA keys, Yubikeys etc. that the user would choose based on the users constraints, need for convenience, and threat model.
The immediate alternatives which are available today are 2FA via email or via an authenticator app such as Authy or Google Authenticator. So it's entirely a matter of whatever idiot companies decided to implement 2FA exclusively via SMS, adding support for one or both of those.
I'm another person who hates having to do 2FA via phone all the time, I am overseas a lot and it can pose serious problems for account access. I found out today that Authy even has a Linux client - hopefully this is the beginning of my life getting a lot easier.
While true and while absolutely better from the security and privacy standpoints, aren't passkeys less inclusive than SMS 2FA? Honest question - I'm not sure. I can see them being more both less and more inclusive: it's somewhat more inclusive because they don't require any monetary payments on a monthly basis to keep the phone number active, but it's also most likely significantly less in terms of adoption.
Also, passkeys don't provide a way to perform non-Internet authentication. Like when you call your bank or they call you, you cannot use a passkey to authenticate each other purely over the phone, you need to be online. While this is surely technically possible to do over the phone (or postal pigeons -- j/k), it's not even on a radar and is extremely unlikely to ever happen in any foreseeable future.
