Unpopular opinion: 2FA via SMS is better than nothing for most people

My buddy Marcus kept telling me to switch to an authenticator app, but after I lost my phone and couldn't get into my bank for 3 days, I'd rather have texts go to my old number than risk that again. Has anyone else had a similar disaster with app-based codes?

4 comments

4 Comments

gracethomas1d ago

SMS is worse than nothing when someone clones your SIM and drains your account while you sleep. Those authenticator apps might be annoying but at least they aren't sitting in plain text on a carrier's server waiting to be stolen. Sure losing a phone is rough but getting hacked is a whole different level of disaster that texts can't protect you from.

young.michael1d ago

Laughs in lost phone and 3 days of bank limbo.

henryt181d ago

@gracethomas is right about the SMS being vulnerable, but I gotta push back a little on the "authenticator apps are annoying" part (I mean, they can be, sure). The real win is using a hardware key like a YubiKey, because even if you lose your phone, that physical key is still separate. Losing a phone is a pain, but getting locked out of everything while hackers drain your accounts is way worse, so having a backup hardware key (like a spare one in a safe) solves both problems.

david_reed221d ago

I think the "hardware key solves both problems" bit is where I gotta gently push back. If you lose your phone and your YubiKey is attached to it, you've got a bigger problem than just a lost phone. The spare in the safe is a solid backup idea, but @young.michael's story about bank limbo shows how messy it gets when you can't access your second factor at all. Hardware keys are great, but they're not a magic fix if you don't have a backup plan that actually works when your primary device is gone. Also, some banks still don't support hardware keys, so you're stuck with apps or SMS anyway. Just something to think about before going all in on one method.