The real world security issues that companies face are things like:

  - users that re-use tiny passwords written on post-it note that's attached to their monitor
  - regulated industries that don't allow them to actually lock a user out, which causes leaky social engineering flows for their help centers
  - users that constantly forget their passwords, and have terrible forgotten password questions/answers
  - passwords they share with a friend/partner, that they then have a falling out with

"But Joe, having a more secure system isn't that much harder on the user and is infinitely more secure". I promise you, it is that much harder. Most users can barely understand/handle SMS 2FA. Remember, we have to force users to not use trivially simple passwords like 'password'. Shoot, companies like AOL still derive monthly subscription fees because it's too hard for people to figure out how to change email providers

People are not disputing the effectiveness of 2FA. They're saying that SMS is not a reasonable way to implement 2FA.

All my banks' websites in Europe (I've got several) are requiring the use of a physical device, provided by the bank, and protected by a PIN. I need to use such devices both to log in and to confirm wire transfer / stock buys / etc.

U2F keys like Yubikeys and physical 2FA devices like those provided by my banks are way better than SMS 2FA. Why not strive towards that instead of saying that SMS 2FA is popular for reasons and that nothing can be done about it?

Email 2FA works just fine. Set a long, secure password for your email account. Trust that your email provider won't allow anyone to brute force their way into the account. Don't use that email for any other accounts. Bam, security is fine.

Stop trying to force more and more purchases and apps down other people's throats. Maybe I don't have a smartphone or a yubikey. I should still be able to use services, especially when many of them are required to function in society today.

A couple of my banks let me login by confirming my identity with a fingerprint on my phone, in their app.

Another one still supports their old 6 digits OTP generator, but also has the app with the fingerprint authorization.

Mastercard does key6 but they or my bank also send a SMS with a numeric code.

Paypal sends an SMS with an OTP.

It seems that nobody wants to spend money on hardware here.

I keep my hardware key generator at home. I need it only to perform some operations from my computer. Everything I do outside home is with the phone, which funnily is its own 2FA device. Banks and regulators accept that for the sake of convenience.

Than TOTP? Than email? The problem with SMS is that it adds additional vulnerabilities through sim jacking. Every other 2FA method is tied much more strongly to an identity.

Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.

> Than email?

Probably not much better than email for most users, but I guarantee for a large subset of users the SMS experience is better. With email you need to go to a separate app/page on the same device, with SMS you get a notification on a separate device or a notification popup on the same device (that usually lets you easily copy the code). Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.

> The problem with SMS is that it adds additional vulnerabilities through sim jacking.

Then fix the SIM-jacking problem. Which, I'll note, phone companies have made a lot of improvements in making this harder, and in the US government has gotten involved in making this harder.

Most importantly, note that SIM-jacking is really just a "how do we verify someone who lost a device" problem. That exact same problem exists with TOTP and hardware keys. All we really need are uniform guidelines for proving identity when a device is lost so you're not at the mercy of some low-paid, outsourced service rep to keep your account secure in the face of a persuasive bad guy.

You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.

> Again, I totally agree that SMS has issues, but people arguing against it should spend some time in a usability lab with non-tech people - the kind of issues they hit will blow your mind.

I don't really care about usability when the solution is strictly worse than doing nothing. Like, to be clear, users would be safer without SMS if they just used a unique password. SMS is a terrible solution that really only solves "you used the same password across two sites, one of those sites got popped, the attacker doesn't have access to the common tooling to phish your SMS, and you can't figure out how to use email apparently".

> Then fix the SIM-jacking problem.

It's a lot harder to fix "make SIM recovery safe" than it is to fix "make email recovery safe" because phone numbers transfer all the time and emails rarely do. Further, almost all account recovery ends up falling back to email natively, so there's no additional attacks added.

At the end of the day:

1. Every modern browser supports a synchronized password manager, which makes all non-FIDO2 MFA basically useless

2. SMS 2FA adds additional attack surface through SIM jacking

3. Every modern phone is a FIDO2 compatible token

SMS 2FA is simply a technology that has no place. Attacker tooling has already started to adapt to non-FIDO2 MFA so the time for that approach is just over, the best thing we can do is stop pushing for adding new vulnerabilities just to fail to solve a problem that has trivial solutions.

In short, it adds nothing over other techniques and it strictly increases attack surface.

> You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.

As soon as the lost TOTP keys was mentioned, this is exactly the type of response I was expecting, and it shows how far out of touch tech people are with “normal” people.

MFA login is needed because general people are so bad at managing their passwords (using simple ones, re-using ones that have been leaked, etc) that the tech side had to just give up asking and start forcing everyone to use what is essentially a one time password.

If users were conscientious enough to know how to store backup codes, etc, then we wouldn’t have the problem of bad passwords to begin with. So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

Not really, no. I'm actually advocating against non-FIDO2 2FA entirely because a strong password is just as good and every browser has a password manager built in now. 2FA doesn't add security, SMS 2FA makes things worse.

1. These days, most people use passwords across browsers and native apps. In-browser password managers don't really support this use case well, at all.

2. At least in Chrome's, you can't manually add a password or add any notes.

3. Sometimes login domains change, and since the password is only tied to the domain (not a generic name), it's easy for passwords to get lost.

Again, nobody is really disagreeing with you that the situation is less than ideal or that there are more secure alternatives. But you seem unwilling to accept that a huge swath of the population sucks at secure password management, which is why SMS 2FA is a "lowest common denominator" option to improve security.

I really don't believe that there's some huge cross section of users who simultaneously:

a) Will go through the hassle of enabling and using SMS 2FA

b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token

c) Won't use relatively unique passwords for high value websites, password manager or not

IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.

I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.

Right. That’s the sole purpose. People pick bad passwords and reuse them, but you already know that.

As much as tech tries to make this easy people, it’s a horse-vs-water problem. Even smart people refuse to use to use password managers. Most of those people have figured out how to receive text messages.

Seriously, go find someone who owns a JitterBug phone and watch them create a new account on the website of your choice. We’ve got a long way to go.

Apparently it was perfectly secure because to use it I also need an SMS

Are you (and everybody else who ticks this box) going to pay for the company’s time dealing with the resulting tech-support phone calls? You might be willing to assume the risk for your own data, but for the company to offer this option, you also need to assume the risk of increasing their operating expenses

Having to scan a QR code is too much friction compared to just asking for their phone number which will then send a code that a modern phone OS will then be able to autofill all without leaving the app and going into the messages app to retrieve that code.

Edit: I have 4 YubiKeys and a Ledger Nano S that I use for critical services, such as my Google accounts and domain registrar, and I _still_ use SMS 2FA out of laziness for most services.

What is annoying is making it the only option, or almost as bad, a mandatory recovery option bypassing all other factors.

What’s the alternative, if you don’t want people to get completely locked out when they fuck up?

If you use a password manager to generate a high-entropy password, come up with similarly-secure answers to the “security questions”, and make sure your email is also secure, then SMS 2FA is a significant downgrade to your overall security.

Explaining 2fa via SMS to that age group is hard enough. Adding authenticators or QR codes into the mix would blow their frail minds.

2. Actual physical keys are expensive. The margins on many types of depository accounts are razor thin, and giving everyone a physical key would be significant.

3. So an option to #2 is then to use the physical key built into nearly all smartphones these days. But I can definitely say that, at present, that option still doesn't work that great. Have had loads of problems using a phone key with Google's Advanced Protection, many times bugs on Google's part. Also, this normally depends on bluetooth, which can have a ton of connection issues.

“What technology you grew up with” is definitely a factor (not the only factor, but a big one) in “what technology you feel comfortable using”.

You describe using the same device as second factor as the device you use to log in. What's the security benefit in this case compared to a password manager with a strong stored password alone?

I sometimes travel to Iran to visit relatives. For obvious reasons, there are no roaming deals between US carriers and Iranian carriers, so I am unable to receive SMS messages while there. I’ve been bitten several times by websites that see I’m logging in from a scary IP address, and force me to authenticate via 2FA SMS to proceed. Whoops, guess I can’t check my bank account for a month now!

If I have SMS, I then get a message on my phone which I have to enter

Thus something hijacking my machine can't log on silently, even if it pulls the password out of my password manager

Nothing, except the reason companies use SMS 2FA is the vast majority of people still don't use a password manager with a unique strong stored password.

See e.g. https://arstechnica.com/information-technology/2021/03/16-at..., https://arstechnica.com/information-technology/2017/05/thiev..., https://arstechnica.com/information-technology/2016/08/congr...

I use my tablet and laptop way more than my phone. I hate having to walk to another room to pickup my phone from its charger just to get one of these SMS codes. When I'm doing phone support I often hear, "hold on, I have to get my phone" when this step is required.

Not only do you need to understand what shortcoming sms has, but non cynically understand why other solutions are worse.

1. Theoretically, they're right

2. Realistically, it feels like they've never interacted with the non-tech public, and all the issues and problems that need to be worked around with hardware keys.

There is a good reason companies are trying to move us to a "passwordless" future, but there is also a good reason they are going very slowly - they know there is no silver bullet.

https://www.nordea.fi/en/business/our-services/mobile-online...

Exactly this. I bet you'd have less than a 25% success rate of getting the average user to even know that SMS and "texting" are the same thing. Now try to get them to understand what "OTP" is.

Having to register a phone number with a service is bad enough. Forgetting what weirdo password you were forced to come up with--"a capital letter, a special character (but not % or *), and a smiley-face Unicode character"--is bad enough. But for those people who just get a new phone and phone number for whatever reason, now you have to get that changed as well.

The big problems with SMS is 1) it is insecure, and 2) it does not have any sort of guaranteed delivery mechanism. These are problems that are readily solvable with a combined technical/governmental solution. Develop a standard, say "all mobile companies must adhere to this in 12 months," and then use that. Even if it isn't perfect, i.e. somebody finds a small flaw in the implementation, it's better than it is now.

TOTP codes can be shared between multiple devices - which makes them less unique than an SMS to a specific MSISDN. Your ability to back up a code doesn't necessarily mean you have the ability to store it securely.

FIDO tokens can also be lost.

I don't know why you're asking for your congress to fix this. You live in a free market, so move your business to someone who you think takes security seriously.

With TOTP, you can put the TOTP code in your password manager with all your other passwords, which is probably what I will do it it catches on. It's effectively one factor at that point. (Do you know my password manager's password?)

Adorable. Please show me a bank, utility provider, brokerage, widely-used P2P money transmission service, and phone provider that each offers WebAuthN (without a mandatory fallback to SMS-2FA).

There is absolutely no "free market" for authentication methods: Everybody does almost exactly the same thing, as authentication probably does not even make their top 10 business priorities.

Bank: Most banks in the UK use an industry standard Chip Authentication Program - which uses the bank card's chip rather than SMS 2FA https://en.wikipedia.org/wiki/Chip_Authentication_Program

P2P Money: Coinbase https://www.yubico.com/gb/works-with-yubikey/catalog/coinbas...

Brokerage: Vanguard https://www.yubico.com/gb/works-with-yubikey/catalog/vanguar...

It would be a bit odd to have a mobile phone provider who doesn't support SMS. But looks like Vodafone is hiring someone with WebAuthN experience https://opportunities.vodafone.com/job/Dusseldforf-Solution-...

Hope that helps.

Ah, your earlier statement ("you live in a free market") implied otherwise. Maybe something worth considering before asserting that there is free market choice in all of these industries.

For banks, it is not that easy and convenient. I like my banks for many reasons except the 2FA thing. Most banks at least in US are still doing SMS 2FA. I am done with the whole "If not happy, move" and want to figure out what we can do to educate/force these banks to do the correct way.

Start a coordinated shitstorm against these banks because of this. Banks (as many companies) are often very concerned about their reputation.

Haha. Banks are only concerned about their relative reputation. If all their peers are screwing the consumer, they don't care at all.

https://arstechnica.com/tech-policy/2022/10/zelle-fraud-is-o...

That's literally the point of capitalism. Organisations are free to offer any service they like and customers can choose which one best meets their needs. If enough people move to the one offering better 2FA then the others will follow.

Having the government force companies to behave in a certain way sounds dangerously close to socialism to me.

I'm sticking with Schwab for now because they are at least vish resistant. I have a 'verbal passphrase' and support will not help "me" unless I provide it.

That is exactly what I did. I was with a major bank but they would not take my security seriously and only did 2FA. I moved to a small local bank that allowed me to lock down my accounts so that from the internet they are read-only. I have to physically go into the bank and show ID for most of my accounts. That leaves one account I can use for small online purchases.

I am working with them to implement better security around ACH/wire transfers. That's not even a discussion I could have with the bigger banks.

It is not the "tech. departments" making the decisions.

It is a PHB [1] in the "security department" following a checklist of "recommended practices" and one of the checkboxes on the list is "add SMS 2FA".

I.e., you are looking at it as a technical decision where the pros and cons security wise are weighed and the better technical solution is selected.

Which is not at all how these decisions occur in the real world in real businesses, and esp. in stodgy ones like banks/finance. Instead the decision is driven not by technical merit but by what "options" are provided on the checklist they must follow, that checklist often being sourced from whatever govt. regulator provides their oversight.

The technical people building the solutions likely know all the problems, but are powerless to do anything but implement the directed solution, because the directed solution is the only one available on the "checklist" from which they are allowed to select.

[1] PHB = Pointy Haired Boss -- Dilbert cartoon reference

To reach Authenticator Assurance Level (AAL) 2, there are restrictions placed on PSTN-delivered OOB verification as described in Sec. 5.1.3.3. They explicitly state (in Sec. 5.2.10) that the validity of restricted authentication can change at any time, AND that organizations "SHALL" offer alternative MFA options that are not restricted.

Specifically: "The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator"

So now when you go to the PHB and say, the government says that we are potentially opening ourselves up to legal liability according to such-and-such document subsection whatever, you're much more likely to get allocated resources to implement alternative options. Plus, the government could potentially disallow phone-based 2FA at any time! Imagine how the board will react when they find that we didn't plan for this contingency and suddenly can't comply...

[0]: https://pages.nist.gov/800-63-3/sp800-63b.html

Trouble is, most people do not know what to do with a physical second factor. They don't know you need more than one and that you need to keep one offsite. They don't understand the way to make second factor work well is to deny ability to recover your access without it with all the nasty consequences of it.

For a company that provides service to the customers, this is nightmare. Unhappy customers, high support costs of trying to somehow securely give the access back to people who lost their tokens.

I think much easier solution is to go to your mobile carrier and get arrangement where they require you to go through special hoops to get the sim card if you loose it or to port the number (which is what I did).

Also if you really care about security, put that number on a separate phone where you absolutely don't install any extra software. And do not use this phone for normal communication, do not put it in any contacts, try to avoid associating it with your name. This phone becomes your second factor so you might just as well get something cheap and small.

In fact, most services that allow you to configure a different 2FA still fall back to SMS if you say you don't have access to your Authenticator app anymore.

And no, yubikeys or other self-acquired hardware tokens are not a viable alternative.

Edit: just for reference, I've been using the same mobile number for ~15 years, back when I had a Nokia 3310. I have probably had 10 different phones in the same period - which would have meant I would have had to go to each service I used 2FA on 10 times in the same period to switch to the new 2FA if I had been using Authentication apps (and if anyone had been offering 2FA ~15 years ago). Note that one of these 10 phones was stolen, so recovering the accounts after that would have been a joy.

An "Architect" was pushing SMS 2FA for our application, and only SMS 2FA. Like you I pointed out all the issues. The response I got was "well if it's good enough for $BIGCORP it is good enough for us" and I didn't win. Cargo culting at it's finest.

Flood the web with search-engine-optimized articles and tutorials around such phrases. Publish them on high-traffic sites and make them rank high. Content copycats will then organically spread those best practices through the web over time.

SMS-based 2FA has its simplicity/security trade-offs. But what really gets on my nerves is when websites don't even offer better 2FA options like software tokens and hardware tokens to power users.

For that problem, the articles can include content templates with instructions to users about buying hardware keys or installing 2FAS/Authy/GoogleAuth. Front-end devs can then just paste those templates in their HTML.

The number of users on most B2C businesses who want this and would use this as a differentiator when choosing a product would be minuscule.

How do you recover your account if you lose the 2FA device? If the service offers email or SMS recovery then it’s not any better than SMS 2FA.

As a regular “power user” consumer all you should need to do is use a randomised password generator and password manager, not reuse passwords and use 2FA if a available.

All TOTP apps provide backup codes and export options. Store them in my password manager. If my phone gets stolen, I just import them into the new device.

> If the service offers email or SMS recovery then it’s not any better than SMS 2FA.

I've explained this in another reply. Briefly, in some countries, losing SMS-based 2FA is much more of a hassle than losing device-based 2FA because of government and private bureaucratic hurdles.

> all you should need to do is use a randomised password generator and password manager

No complaints there. Unfortunately, my bank forces me to use 2FA and, worse, forces me to use SMS 2FA.

At the end of the day, OTP is more secure for the obvious issue with mobile carriers being phished into SIM jacking. But, I've personally had 0 luck convincing any business person that OTP is the best thing to use because (and this is a true statement) users are dumb and lazy and don't want to go through the process of downloading an app on their phone and setting up OTP. Plugging in your phone number for SMS is way easier.

I don't mind if SMS is an option, but I would prefer it not be the only option and certainly not the only backup option (weakest link and all that).

1. Figure out what the alternative is ("X"). It must be one thing that is dead simple, and it must work for 90% of people without annoying the fuck out of them. "Technically superior" is bullshit, it must be superior to an industry, organization, and an individual lazy user.

2. Get a coalition together of corporations who depend highly on SMS 2FA. Get them to all agree to be involved in changing to X. There are big financial and legal implications here, this is not easy. People have probably signed long-term contracts and those will need to run out or be written off.

3. A big marketing push to tell people that you are spearheading change; SMS 2FA is old and busted, X is the new hotness. You have to convince users to give it a chance, organizations to stake their reputation and security on it.

4. An organization needs to exist whose sole purpose is to make money off the new alternative. Partly this is because orgs want to pay for "premium support", partly it's to offer indemnity to customers, partly to provide a white glove service during transition, and of course, any company that makes money off something gives it legitimacy, which is needed to make people take it seriously.

5. Get official standards bodies, the government, consumer protection agencies, etc. to all make official proclamations that SMS 2FA is a danger to the nation and should be abandoned in favor of X.

6. A long period of transition. Years. A lot of support for people during the transition. Bug-fixing, figuring out edge cases, adding support to every platform on the god damn Earth.

7. All this needs to be paid for. Get the money, get it to the right people at the right time.

It's not widely adopted, unfortunately.

This has the downsides if you lose the phone you lose the token, but that downside exists for a physical token, too.

The goal is to encourage them to support the tokens so that those who want to can go phone-free (by using a hardware yubikey instead).

Yes. Without regulation, nothing will change in the short term; perhaps in the long term with Google and Apple pushing passkeys in their ecosystems.

You will still need a solution for those without a mobile phone or a smartphone, such as a hardware PIV/smart card like DoD CAC and other digital ID cards with crypto primitive support.

SMS/Voice MFA must go. Call your representatives.

https://www.congress.gov/bill/117th-congress/house-bill/4258

https://www.cisa.gov/sites/default/files/publications/fact-s...

"After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device." [1]

Until someone comes up with a SMS 2FA alternative that is simpler and easier than all the SMS alternatives, then SMS 2FA will continue.

[1] Advanced sign-in security for your Google account (2011) https://googleblog.blogspot.com/2011/02/advanced-sign-in-sec...

In the same sense that transactions need to be reversible, credentials and IDs need to be recoverable. People lose their devices, forget their passwords, undergo physical change, etc. I can't wait for the day we have something ubiquitous, trustworthy, secure, recoverable, and simple.

They aren't in the tech department; it's being forced downwards in many cases, often by the company "selling" the 2FA "solution".

Some cases you get a rare CTO who actually understands and cares, but that's rare.

The main point of attack would be the companies selling 2FA solutions to enterprise; they need to add non-SMS options and market on them - which may require a few more high profile SMS hacks to get it in front of everyone.

So maybe the solution is for techies to hack SMS 2FA (don't actually do this).

Now imagine you're the CEO of my company (a Fortune 200 company), a company that's responsible for infrastructure that's been deemed vital to the security of the United States. Who do you think the CEO is going to listen to, me or the Air Force guys and guys hailing from American's top three letter security agencies?

Now, if that's what our CEO is doing then what do you think your CEO is doing? That's right - they're looking at what we're doing. They know we have our personnel engaged in meetings at the White House. They know we're managing nationally critical infrastructure. They know how we're securing our customer-facing applications - and that's SMS 2FA.

My advice is to keep your mouth shut unless you're a recognized security expert. You're just spending political capital for naught.

At least one company promised that phone numbers will be used only for authentication, but was caught using them for marketing (which is exactly why I don't trust most companies with my phone number in the first place).

The biggest issue with 2FA, is that everybody allows you to set it up with just a single second factor, so losing it, means you're out.

In enterprise contexts, it's not an issue, there's another factor that you can use in an emergency, which is basically contacting IT.

But for things like Google, Apple, etc. you should not be allowed or required to setup 2FA unless you can provide two distinct second factors, one for regular use, and another for recovery in case the first one is unavailable.

This is such a glaring usability omission that I cannot fathom how the heck we're still pushing for it.

You'd go to your network provider, show ID and in hours you have your SIM back. What is this hyperbole..?

In mine, my provider invalidated my SIM twice during their technology upgrades (2G->3G, 3G->4G) without any notice, warning, or hint. Was it an upgrade? Was I phished? It's all left to the user to infer what happened. And if it turns out to be a crime, our rules expect us to interact with an even more apathetic and corrupt police department.

What may look like hyperbole in one country is daily ground reality in another. I'd much rather prefer something under my own control, like TOTP, over anything SIM-based.

I don't understand the hate for SMS, like "how are these people in tech?" -- most banks I know of work on SMS based OTP. SMS also gives you a sorr of a real identity to work with and physical location in most common cases (not the app provider, but investigative authorities if they get involved).

I'd be very surprised to learn that such things are not possible in the US.

That aside, I think at one point if people make dumb choices, they're screwed, can't do anything about it..

I don't think that a single "dumb" choice should result in people being screwed. Especially if the "dumb" choice is not really a dumb choice, except for "this one particular scenario in which it's dumb", like pre-paid SIMs. Quite a convenient way to blame the party damaged by big corp's bad decisions.

https://news.ycombinator.com/item?id=33434153

https://news.ycombinator.com/item?id=33120534

And what makes you think that they are wrong? It wouldn't surprise me if your PMs have actually talked to customers who went "Huh?"

Congress isn't really going to be relevant. The auditors have far more control.

Good because with a SMS you can get easy access to recover your password.

Evil because, loose your phone, loose your access to email, bank and other services.

Maybe use 2FA with at least 4 methods of RECOVERY like: password, email, secret question, OTP SMS, another secret question.

Stop 2FA with limit methods.

And whichever manager made the push then cannot change course now or they'll be "wrong" which impacts their pay.

So, push the project through and call it a success.

This reminds me the old quotation: "you only trust in laws and sausages if you don't know how they're made".

I myself generally prefer email, because the message comes in quicker going directly to my SMTP server rather than bouncing through GVoice and then to my SMTP server. But if the formatting of the email doesn't make the nonce readily visible and selectable, then I'll prefer SMS because the limited length forces them to leave off most fluff.

But really, all of this should be consensual at the behest of the user, not forced by the bank to push liability onto the user. The main security model of US consumer banking is to report unauthorized transactions within 60 days and they'll be reversed. So anything that hinders me checking my accounts every month is a negative for my own security. My preferred system would be straight password for a full-access login (to be stored by my password manager), and then a separate password for read-only login with a well-documented API (to be used by automated scripts).

And I'll still take SMS over "send the code to some other device that may or may not be within reach" which is one of the common alternatives. It's annoying enough at home, but if I'm on vacation or at the office, having codes sent to my iPad is a non-starter.

The misconception that security is additive is deep rooted in a primitive view of the world that I can not imagine going away soon. If you have 10 cm of concrete protecting you, it's better than 5 cm of concrete. So if you have a grade 10 padlock and a grade 5 padlock (higher being better), it's better than just having the grade 10 padlock. Substitute padlock for any system that can be intelligently hacked.

My cynical view after having worked in regulatory compliance with so-called "security consultants" who are essentially paper pushers is that any security flaw can be fixed with the right wording in a document. In fact it might even be preferrable than fixing the flaw in software. This is comparable to activating a linter only on touched files, not all historical code.

You could blame incompetence, but a real assessment is made: You earn more if you allow some amount of holes, blame evil hackers, reverse transactions, apply insurance. Most cash is digital, and all banks are in it together. This is why banks hate blockchain: There are too many poorly made systems that assume we can undo transactions when we fuck up, and not fucking up is too expensive.

When you have zero clue how something can go wrong, and you don't even know the probability up front, all you can do is bet on insurance and transaction reversal.

tl;dr: I understand you want to reach through via tech, but the problem is: Lack of real security is a conscious decision.

Consider I have an app that can stitch your photos together in a panorama, and you can sign up to store your creations in the cloud for some fee.

> TOTP, FIDO, Yubikey or Nitrokey

No user is going to buy a hardware token, just for this app.

> Authy or Google Authenticator

Users are more likely to go with this, but many would still not be willing to, or simply might not understand why.

> something on-device like Passkey or Apple's stuff

I don't know about this, have never used anything like this.

Point is, SMS 2FA presents the lowest barrier to entry for most users, and it is genuinely better than having just a password. So for most applications that don't need to be super-secure, it is totally fine and probably the best solution.