Justin Mayer on why SMS-based two factor authentication is mostly terrible:
Tying MFA to a phone number means your authentication process is now in the hands of external organizations over which you have no control. Specifically: phone companies.
Yes. True. Technically. App-based TFA is much better than SMS.
But so much of what we do requires that third parties are in control. We all use software every day. Software that we have not reviewed the source code, line by line.1
Our crazy world of software is all held together by bubble gum and popsicle sticks. It's a miracle anything works at all.
-
Even if you had the time, desire, and opportunity to do so, are you sure you'd catch any security issue? ↩