Why do you think sms "2fa" is suddenly so popular with banks and other fintechs, despite things like passkeys and u2f, you know things that _actually_ prevent people from breaking into accounts, have existed forever?
Why do you think sms "2fa" is suddenly so popular with banks and other fintechs, despite things like passkeys and u2f, you know things that _actually_ prevent people from breaking into accounts, have existed forever?
Any business vaguely money related knows exactly who you are because of KYC requirements. They don't need to ask for you phone number when they already have your full name, address, birthday, and SSN.
> Any business vaguely money related knows exactly who you are because of KYC requirements.
They also will happily give your money to any thief pretending to be you, and then blame you for their mistake.
The bank would be responsible for getting the user their money back under US law, actually - even if it was the user’s fault due to bad security
Victims can spend hundreds of hours over the course of years navigating corporate and legal bureaucracies before their account balances and credit scores are restored. The system absolutely makes a bank error the victim’s problem to solve. Guilty until proven innocent.
Unless you’re in a jurisdiction in which they’re liable for that mistake.
I don't think there's any jurisdiction that puts the identity theft victim on the hook for fraud. Yes, you might get threatening letters or dings on your credit report/score while the issue gets sorted out, but that's not the same as being "blamed" for the identity theft, any more than someone wrongly accused of a crime is "blamed" for the mistaken identity.
There's probably no jurisdiction that says the victim is on the hook, but plenty where the victim is on the hook by default and it's not possible for them to exercise their theoretical rights.
Try convincing your customers to all get a YubiKey... it's not fun. The majority of internet users are able to read an SMS on their phone and copy a code, however.
HSBC used to distribute hardware keys to its retail customers just a few years ago
These keys eventually stop working, need a new battery, etc. Instead of the onus being on the customer to "pull" a new one of these keys, it would be better if you "push" them ( mail a new one proactively every January 1st, give a $20 one-time service credit for activating it, and $5 a month credit for continuing to use it )
I had a hardware token for paypal 20 years ago
They could at least have it as an option. But, for some mysterious reason, of all the services I need a login for, banks tend to be the only ones at this point that don't support it at all.
seems like a small price to pay to prevent coughing up literal millions in fraud payments every year
Passkeys are pretty new - most the major platforms didn't gain support until 2023.
2023 was fifty years ago
TOTP was definitely common decades ago. E-Trade for example supported it before KYC was mandated.
SMS 2FA stops enough would-be criminals and checks the compliance box. They don't lose enough money to sophisticated thefts to do something better.
SMS 2FA is good enough for most people most of the time. It's very bad at preventing high-skill targeted attacks against individuals, but it's perfectly good at preventing mass brute-force attacks.
It's popular because it solves the problem (not ALL problems, but the one they're trying to solve) and it's easy and low-barrier to implement and use.
Passkeys shouldn't even exist