I justed logged in as someone else on Facebook using a phone number I activated last week.
edit: there is another account linked to this phone number I activated last week. I could log in as that user as well. When I chose to recover my account and entered my phone number, Facebook listed all the accounts linked to this phone number.
edit2: of course, I can also log in to these people Instagram accounts
Wow. But predictable, as dead numbers are recycled.
And it's totally a Catch 22 for the previous "owner" of the number. Once they've lost the number, any glitch in status of linked accounts that requires phone authentication will lock them out. So if they forget to update authentication numbers promptly, they risk losing control.
I think a part of the problem is that some companies aren't very transparent with how they're using your phone number. In my case I do want my bank to have my phone number, in case they need to contact me. I would rather they don't use it as a second factor (which I never knowingly agreed to) and I absolutely don't want to be able to reset my password over SMS.
If you're going to be forced to use an email address as an ID, which I agree is poor practice, you'd definitely want it to be an operational one that is under your control.
Otherwise you're leaving an opening for someone else to come along later, set up that address, and take over your account.
This is why I have 1-time codes printed out on paper stashed away in a safe place. If I ever lose my phone, I can get back into the account without access to SMS or an authenticator app.
This doesn’t solve the original problem though, this is just a potential mitigation strategy for when/if it goes bad (e.g. the cell number is hijacked).
It’s personally annoying to me how many 2 factor equipped sites force the use of SMS as the second factor. I imagine the conversation with the PO/PM for the feature must frequently include discussion of fears that allowing customers to opt out of SMS 2FA and use their own code generation tools is risky; you are relying on customer not screwing up to keep them as a paying customer.
They lose their personal Authenticator and recovery keys, it can be really awkward to fix. SMS could be argued to be superficially more attractive in this regard, given a cell number can be reissued unlike the permanently lost authenticator device/app. Of course the security of SMS 2FA is terrible etc, but I can understand some of the fear of the alternatives if you need to keep customers happy and able to actually use your service.
Given that I travel all the time with several different SIM cards, I live in fear that I might lose a SIM (they're tremendously easy drop, break or just fall off from wherever you keep them) and have to wait for weeks before getting back home to get one.
Or, you know, just travel to a jurisdiction where I can't get SMSs from my home SIM.
By comparison one-time pads have been substantially easier to keep around and protect.
Services that assume phone numbers are some kind of stable ID are infuriating.
Recently I wanted to log in to AirBnB. I hadn't signed in in 3 years. I was welcomed with a nice "We don't recognize this device. Get a code by text message or phone call at <number at my previous country of residence>." The thing is, I use social login on AirBnB! Specifically because I want to delegate MFA to a service where I'll keep my profile and login information up to date. I don't remember agreeing to my phone number being used as a second factor or as a way to recover my account.
So I contacted their customer service and they unlocked my account within 2 days, without any further verification.
1. Sign up for a VoIP service with SMS support (e.g. https://voip.ms/)
2. use a DID from that service for your 2FA
3. use a softphone app with SMS support to receive 2FA codes (or just have SMSes sent to that number forward to your email; either or)
4. when in a new country with a new SIM card, just make sure to sign up for data. Then you'll continue to receive your SMSes like normal. And your phone calls, too!
(It's honestly insane that this isn't just... how phone infrastructure works, though.)
Except for the myriad companies who flatly refuse to permit their customers to use "VoIP" or "virtual" or anything-other-than-mobile numbers for SMS-based 2FA.
My personal favorite is Zelle. I got a terms of service update a month or so ago, "you will no longer be permitted to use Google Voice other other VoIP or virtual numbers for Zelle and must provide a cell phone number to continue." Except that my cell phone service is provided by a company that buys blocks of data service and voice and SMS ride on that data, so the number "validates" as a VoIP number.
I contacted my financial institution, "what do I do you have this number and it's worked great and it's the only number I have." Sorry, can't use Zelle any more.
Tell me about it. I use Google voice for everything and have for years. My bank won't do 2FA with anything but their own RSA dongle (no thanks) or a phone number, and won't accept the GV number. I don't want to give them the underlying phone number (t-mobile), since:
(a) t-mobile is famous for being socially engineered to give out sims on other people's accounts.
(b) I have no loyalty to this plan. I've had 5 or 6 underlying phone numbers since I started using grand central (now google voice) in the 2000s. I don't even know what my t-mobile number is (i have to look it up on my phone's settings).
Hack I used to get around that: at the time I was signing up for the VoIP provider, I had an existing cellphone number with a regular carrier. The VoIP provider let me transfer my cellphone number to them, just as if they were another cellular carrier. The number still shows up in directories as being owned by the original carrier (which I think is true in all cases where you transfer a number; the number is sort of "on loan" from the original carrier's assigned number space.)
No 2FA (or KYC/AML) processes flatly reject my number, because it looks entirely legitimate to their heuristics. Still, sometimes the actual activation codes just mysteriously never arrive. Then I switch to using the actual DID associated with my (data-only) SIM, and the codes arrive instantly. I'm not sure whether this is their sending system being smarter about virtual numbers than their pre-check heuristics; or if it's just some weird gateway failure between my old and new carriers when (I presume) they try to forward the SMS from their SMSC to the VoIP carrier's SMSC.
I would add that cellular phone vendors do not cover all of the POPs that they claim they do in the U.S.
No way am I going to spend big money for a cell phone plan when I also have to pay top dollar for a substandard landline and DSL. Sure, I could just use it when I am out and about and find some alternative way to get calls when I get home, but why reward the phone companies for underinvesting.
It used to be I could get a prepaid phone that was pretty good but the last few ones I have tried I had awful coverage, maybe they are only using Sprint for their networks now.
I hear what you're saying and don't disagree with you at all.
But one thing that I've found beneficial is that a lot of modern smartphones support wifi calling. I haven't had a single dropped call in my basement since enabling it.
Of course phone numbers stink as identity proof. But I thought that was the reasoning behind MULTI-factor authentication?
Yes, someone could get your phone number someday. And someone could get your password someday. But it's much less likely anyone would get both at the same time.
Stupid question, is it straightforward to change the phone number you are using for a second factor for most web sites?
Once you add the "reset password using phone number" feature, as many sites do, you go from multi-factor to SINGLE factor for MANY websites.
And that's a factor you don't have complete control over and once you lose, you lose forever.
The best part? Right, you can lose your phone number if you lose your phone, because T-Mobile allows one to reset their account via SMS.
You can lose your phone number if you misstep just once. My mom got one of those scam calls from people pretending to be customer service. They asked her to read off the numbers from an SMS to verify her identity, and she did.
She got lucky because the account is in my name. Otherwise, the scammers would have had complete control over all lines. They'd have transferred it to themselves, amd used that to take over ALL other accounts.
Once someone controls your phone number they can recover your email account then use email to recover all your other accounts. In practice it's not multi-factor.
TOTP solves this issue. Even with a new number or loss of control with your service's password, if you have the TOTP app on your phone or watch you can effectively control access.
What do you use instead of phone numbers that average people would be able to use? Is email with an MFA option the best bet right now? In that case, what do email providers use - recovery email addresses?
Faxing in photos of ID is just asking for someone to forget to delete it too, having it end up in some data dump one day
Let's be honest: a lot of companies is use phone numbers to limit the number of accounts one can create. Email accounts are a dime a dozen. This is not fun for those of us who like to use many different accounts for different things.
That's why everyone sane avoids giving out their phone numbers to any company except dire necessities, like maybe banks. Use U2F, don't use "google authenticators" or any other pseudo-2FA. No website has any business knowing your phone number.
Bonus: phone number databases are used in online tracking for connecting accounts across many websites to datamine more accurate data and form better profiles. Everyone privacy minded should be aware of this.
Nothing against TOTP per se, but plenty enough against Google Authenticator and its typical use cases. If you log into a website on your phone and use an authenticator running on the same phone, it's not 2FA, it's just two passwords.
This depends on your threat model. Imagine someone looking over your shoulder while you type in your password and TOTP token. Without TOTP, they would be able to log into your account on a different device without having your current device. With TOTP, they would need some way to get the correct token when they login, which is much more difficult and more easily noticed by you.
Phone numbers are pretty ok as a second factor. For a general purpose website I doubt any more than 10% of people will ever get anything like a Yubikey. As for using a TOTP app such as Google Authenticator, I myself have been personally burned when I wiped my phone and forgot to backup the TOTP codes.
Phone numbers combined with SMS are not perfect, but they are something the average user has, something that the average user can recover (if they lose a phone, they can get a new one but still keep the same number). No, they are not perfect, and if you are being targeted, they will not help you, but most people are not targeted, but they do use bad passwords and using phone numbers as the 2nd factor improves security.
> For a general purpose website I doubt any more than 10% of people will ever get anything like a Yubikey
I bought a bunch of Yubikeys and tried giving them away like candy to friends and family. I couldn't even give them away; people still weren't interested, including several developers (!).
We'll never be able to save everyone, so my only wish now is that for the people who do care, everybody implements 2FA/WebAuthn properly and uniformly. Even that we're so far away from. Maybe eventually we'll get to some level of herd immunity, where >90% of accounts are 2FA protected, so trying to exploit them is a massive waste of time, and can be detected early.
I’m not convinced at all they are good for “normal” people yet. Google’s support is great, especially as securing your email often helps secure password reset links etc, but browser support is sorely lacking even now - you are more or less forced to use Chrome. It’s turned off by default in Firefox and doesn’t work at all in Safari. It does work by default in Edge for the 50 or so users who didn’t just use it to install a third party browser. Mobile browsers are even worse, despite the NFC support on the newer yubikeys.
The technology appears fine, it’s the culture/industry norms that aren’t catching up. Until you can reliably and easily use it most places in most browsers it’s always going to be a niche solution for security geeks.
I do think they have great potential in the workplace though, especially the nfc ones - the same yubikey could be used for both physical door access controls as well as online services like email etc.
I experimented with requiring the yubikey to unlock my MacBook, but the risks are enormous, even with a spare yubikey. Lose the yubikeys and getting your personal data off a FileVault encrypted volume is going to be great fun I imagine...
> I couldn't even give them away; people still weren't interested, including several developers (!).
I'm a developer and I own a couple of Yubikeys that I picked up to play with the concept. I don't actually use them for real authentication, though.
Now, I know that I'm a weirdo, but the reason I don't use them for real is because they're less convenient for me than just using unique, strong passwords.
You need multiple yubikeys. The problem is that they don't use some sort of derived key concept to make syncing easy. You need them physically present to add them to new accounts. You can't just lock one away in the safety deposit box. So you'll probably just lose them both if you lose one.
I'm not surprised nobody uses them.
The only practical application I can think of is some sort of central authority configuration like a corporation where yubikeys are given to employees.
While I like my Yubikeys, they definitely aren't more convenient or intuitive for people who aren't accustomed to using multifactor authentication already. The webauthn spec [0] includes support for "biometric authenticators" and "platform authenticators" (e.g. the fingerprint readers with secure enclaves increasingly present on phones and laptops), and I think that has a real chance at improving authentication security across the board. Once Apple, Google, and the like start pushing "touch to login" via webauthn, people will come to expect that sort of convenience. And if all of your devices include these authenticators, adding a new device should be as simple as authenticating on one that hasn't been lost or stolen.
> I bought a bunch of Yubikeys and tried giving them away like candy to friends and family. I couldn't even give them away; people still weren't interested, including several developers (!).
My problem is what if I lose it. I know there are ways round it, but it's a layer of complexity passwords just _don't_ have. That's enough of a hurdle for me.
I save all the seeds for 2FA in a separate keepass db & just rescan it on new phone whenever needed. Also, as last time I got an iPhone, I just made a simple javascript local script to paste that CSV seed data into it & click generated links to auto add those to Google 2FA App, https://davch.gitlab.io/dms/otp.html
My phone number is still all over the internet - thankfully from the previous owner and their personal information. I have had this number for 12 years now
Which is great until you post a video on YouTube with copyrighted music in the background, and the algorithm decides to lock you out of all your Google accounts.
I justed logged in as someone else on Facebook using a phone number I activated last week.
edit: there is another account linked to this phone number I activated last week. I could log in as that user as well. When I chose to recover my account and entered my phone number, Facebook listed all the accounts linked to this phone number.
edit2: of course, I can also log in to these people Instagram accounts
Wow. But predictable, as dead numbers are recycled.
And it's totally a Catch 22 for the previous "owner" of the number. Once they've lost the number, any glitch in status of linked accounts that requires phone authentication will lock them out. So if they forget to update authentication numbers promptly, they risk losing control.
What a mess.
that happened to my PayPal account.
Did you recover it? And if you did, how?
I think a part of the problem is that some companies aren't very transparent with how they're using your phone number. In my case I do want my bank to have my phone number, in case they need to contact me. I would rather they don't use it as a second factor (which I never knowingly agreed to) and I absolutely don't want to be able to reset my password over SMS.
The yahoo example is horrifying.
What about the idiotic policy of requiring you to use an E-mail address as your user ID?
Apple is going BACKWARD on this amateur-hour practice, now requiring your Apple ID not only to be an E-mail address... but a WORKING one.
Stupid: https://goldmanosi.blogspot.com/2012/06/forcing-people-to-us...
If you're going to be forced to use an email address as an ID, which I agree is poor practice, you'd definitely want it to be an operational one that is under your control.
Otherwise you're leaving an opening for someone else to come along later, set up that address, and take over your account.
This is why I have 1-time codes printed out on paper stashed away in a safe place. If I ever lose my phone, I can get back into the account without access to SMS or an authenticator app.
This doesn’t solve the original problem though, this is just a potential mitigation strategy for when/if it goes bad (e.g. the cell number is hijacked).
It’s personally annoying to me how many 2 factor equipped sites force the use of SMS as the second factor. I imagine the conversation with the PO/PM for the feature must frequently include discussion of fears that allowing customers to opt out of SMS 2FA and use their own code generation tools is risky; you are relying on customer not screwing up to keep them as a paying customer.
They lose their personal Authenticator and recovery keys, it can be really awkward to fix. SMS could be argued to be superficially more attractive in this regard, given a cell number can be reissued unlike the permanently lost authenticator device/app. Of course the security of SMS 2FA is terrible etc, but I can understand some of the fear of the alternatives if you need to keep customers happy and able to actually use your service.
I’ve found banks - at least Canadian ones - don’t even provide you with an option with backup codes.
I'm pretty pissed with TD's complete unwillingness to switch to a better 2FA scheme than SMS codes. Hell, even TOTP would be an improvement.
Given that I travel all the time with several different SIM cards, I live in fear that I might lose a SIM (they're tremendously easy drop, break or just fall off from wherever you keep them) and have to wait for weeks before getting back home to get one.
Or, you know, just travel to a jurisdiction where I can't get SMSs from my home SIM.
By comparison one-time pads have been substantially easier to keep around and protect.
Services that assume phone numbers are some kind of stable ID are infuriating.
Recently I wanted to log in to AirBnB. I hadn't signed in in 3 years. I was welcomed with a nice "We don't recognize this device. Get a code by text message or phone call at <number at my previous country of residence>." The thing is, I use social login on AirBnB! Specifically because I want to delegate MFA to a service where I'll keep my profile and login information up to date. I don't remember agreeing to my phone number being used as a second factor or as a way to recover my account. So I contacted their customer service and they unlocked my account within 2 days, without any further verification.
Last time I used Airbnb they offered multiple verification options, including mail.
The email option is displayed / hidden depending specific factors, specifically if your GeoIP is in your original / standard country.
Had to do this last week, VPN to my home country to enable code via email.
Sheer stupidity.
1. Sign up for a VoIP service with SMS support (e.g. https://voip.ms/)
2. use a DID from that service for your 2FA
3. use a softphone app with SMS support to receive 2FA codes (or just have SMSes sent to that number forward to your email; either or)
4. when in a new country with a new SIM card, just make sure to sign up for data. Then you'll continue to receive your SMSes like normal. And your phone calls, too!
(It's honestly insane that this isn't just... how phone infrastructure works, though.)
> 2. use a DID from that service for your 2FA
Except for the myriad companies who flatly refuse to permit their customers to use "VoIP" or "virtual" or anything-other-than-mobile numbers for SMS-based 2FA.
My personal favorite is Zelle. I got a terms of service update a month or so ago, "you will no longer be permitted to use Google Voice other other VoIP or virtual numbers for Zelle and must provide a cell phone number to continue." Except that my cell phone service is provided by a company that buys blocks of data service and voice and SMS ride on that data, so the number "validates" as a VoIP number.
I contacted my financial institution, "what do I do you have this number and it's worked great and it's the only number I have." Sorry, can't use Zelle any more.
Tell me about it. I use Google voice for everything and have for years. My bank won't do 2FA with anything but their own RSA dongle (no thanks) or a phone number, and won't accept the GV number. I don't want to give them the underlying phone number (t-mobile), since:
(a) t-mobile is famous for being socially engineered to give out sims on other people's accounts.
(b) I have no loyalty to this plan. I've had 5 or 6 underlying phone numbers since I started using grand central (now google voice) in the 2000s. I don't even know what my t-mobile number is (i have to look it up on my phone's settings).
Isn't number porting a thing in the US? It should be quite easy to bring your number to a different carrier.
Hack I used to get around that: at the time I was signing up for the VoIP provider, I had an existing cellphone number with a regular carrier. The VoIP provider let me transfer my cellphone number to them, just as if they were another cellular carrier. The number still shows up in directories as being owned by the original carrier (which I think is true in all cases where you transfer a number; the number is sort of "on loan" from the original carrier's assigned number space.)
No 2FA (or KYC/AML) processes flatly reject my number, because it looks entirely legitimate to their heuristics. Still, sometimes the actual activation codes just mysteriously never arrive. Then I switch to using the actual DID associated with my (data-only) SIM, and the codes arrive instantly. I'm not sure whether this is their sending system being smarter about virtual numbers than their pre-check heuristics; or if it's just some weird gateway failure between my old and new carriers when (I presume) they try to forward the SMS from their SMSC to the VoIP carrier's SMSC.
I would add that cellular phone vendors do not cover all of the POPs that they claim they do in the U.S.
No way am I going to spend big money for a cell phone plan when I also have to pay top dollar for a substandard landline and DSL. Sure, I could just use it when I am out and about and find some alternative way to get calls when I get home, but why reward the phone companies for underinvesting.
It used to be I could get a prepaid phone that was pretty good but the last few ones I have tried I had awful coverage, maybe they are only using Sprint for their networks now.
I hear what you're saying and don't disagree with you at all.
But one thing that I've found beneficial is that a lot of modern smartphones support wifi calling. I haven't had a single dropped call in my basement since enabling it.
Of course phone numbers stink as identity proof. But I thought that was the reasoning behind MULTI-factor authentication?
Yes, someone could get your phone number someday. And someone could get your password someday. But it's much less likely anyone would get both at the same time.
Stupid question, is it straightforward to change the phone number you are using for a second factor for most web sites?
Once you add the "reset password using phone number" feature, as many sites do, you go from multi-factor to SINGLE factor for MANY websites.
And that's a factor you don't have complete control over and once you lose, you lose forever.
The best part? Right, you can lose your phone number if you lose your phone, because T-Mobile allows one to reset their account via SMS.
You can lose your phone number if you misstep just once. My mom got one of those scam calls from people pretending to be customer service. They asked her to read off the numbers from an SMS to verify her identity, and she did.
She got lucky because the account is in my name. Otherwise, the scammers would have had complete control over all lines. They'd have transferred it to themselves, amd used that to take over ALL other accounts.
And that has happened many thousands of times:
https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-t...
Once someone controls your phone number they can recover your email account then use email to recover all your other accounts. In practice it's not multi-factor.
TOTP solves this issue. Even with a new number or loss of control with your service's password, if you have the TOTP app on your phone or watch you can effectively control access.
What do you use instead of phone numbers that average people would be able to use? Is email with an MFA option the best bet right now? In that case, what do email providers use - recovery email addresses?
Faxing in photos of ID is just asking for someone to forget to delete it too, having it end up in some data dump one day
Recovery codes + virtual TOTP.
Let's be honest: a lot of companies is use phone numbers to limit the number of accounts one can create. Email accounts are a dime a dozen. This is not fun for those of us who like to use many different accounts for different things.
One website I know uses postal mail to send a confirmation code.
This seems much more trustworthy to me than mobile phone numbers.
However I am curious to hear counterarguments, if there are any.
Snail mail MFA only proves you have access to the mailbox. Phone numbers are typically personal, not shared. Addresses are typically shared.
That is a fair point. How would you counter the following?
When a call is made or a text is sent to a mobile number is is not addressed to anyone in particular. It is addressed to the number only.
Mobile phone "MFA" only proves someone has access to the SIM card. It could be anyone.
When a letter is sent to a mailing address, it can be addressed to a particular person.
In many countries, there are laws that protect postal mail from tampering.
It’s slow for one thing
I was careful to use the word "trustworthy".
Are you saying that speed affects trustworthiness?
What of homeless?
That's why everyone sane avoids giving out their phone numbers to any company except dire necessities, like maybe banks. Use U2F, don't use "google authenticators" or any other pseudo-2FA. No website has any business knowing your phone number.
Bonus: phone number databases are used in online tracking for connecting accounts across many websites to datamine more accurate data and form better profiles. Everyone privacy minded should be aware of this.
What do you have against TOTP? It doesn't require turn over your phone number, just that you store the key somewhere secure-ish.
Nothing against TOTP per se, but plenty enough against Google Authenticator and its typical use cases. If you log into a website on your phone and use an authenticator running on the same phone, it's not 2FA, it's just two passwords.
This depends on your threat model. Imagine someone looking over your shoulder while you type in your password and TOTP token. Without TOTP, they would be able to log into your account on a different device without having your current device. With TOTP, they would need some way to get the correct token when they login, which is much more difficult and more easily noticed by you.
If you're reusing passwords, it's still better.
Obviously it would be better to not reuse passwords, but in general it seems to be easier to encourage users to do 2FA than to not reuse passwords.
Phone numbers are pretty ok as a second factor. For a general purpose website I doubt any more than 10% of people will ever get anything like a Yubikey. As for using a TOTP app such as Google Authenticator, I myself have been personally burned when I wiped my phone and forgot to backup the TOTP codes.
Phone numbers combined with SMS are not perfect, but they are something the average user has, something that the average user can recover (if they lose a phone, they can get a new one but still keep the same number). No, they are not perfect, and if you are being targeted, they will not help you, but most people are not targeted, but they do use bad passwords and using phone numbers as the 2nd factor improves security.
> For a general purpose website I doubt any more than 10% of people will ever get anything like a Yubikey
I bought a bunch of Yubikeys and tried giving them away like candy to friends and family. I couldn't even give them away; people still weren't interested, including several developers (!).
We'll never be able to save everyone, so my only wish now is that for the people who do care, everybody implements 2FA/WebAuthn properly and uniformly. Even that we're so far away from. Maybe eventually we'll get to some level of herd immunity, where >90% of accounts are 2FA protected, so trying to exploit them is a massive waste of time, and can be detected early.
I’m not convinced at all they are good for “normal” people yet. Google’s support is great, especially as securing your email often helps secure password reset links etc, but browser support is sorely lacking even now - you are more or less forced to use Chrome. It’s turned off by default in Firefox and doesn’t work at all in Safari. It does work by default in Edge for the 50 or so users who didn’t just use it to install a third party browser. Mobile browsers are even worse, despite the NFC support on the newer yubikeys.
The technology appears fine, it’s the culture/industry norms that aren’t catching up. Until you can reliably and easily use it most places in most browsers it’s always going to be a niche solution for security geeks.
I do think they have great potential in the workplace though, especially the nfc ones - the same yubikey could be used for both physical door access controls as well as online services like email etc.
I experimented with requiring the yubikey to unlock my MacBook, but the risks are enormous, even with a spare yubikey. Lose the yubikeys and getting your personal data off a FileVault encrypted volume is going to be great fun I imagine...
> I couldn't even give them away; people still weren't interested, including several developers (!).
I'm a developer and I own a couple of Yubikeys that I picked up to play with the concept. I don't actually use them for real authentication, though.
Now, I know that I'm a weirdo, but the reason I don't use them for real is because they're less convenient for me than just using unique, strong passwords.
Also, you can lose a yubikey even more easily than you can lose a phone (because yubikeys are smaller and you typically use them less often).
Don't you people use keys? Stick them on your keychain!
You need multiple yubikeys. The problem is that they don't use some sort of derived key concept to make syncing easy. You need them physically present to add them to new accounts. You can't just lock one away in the safety deposit box. So you'll probably just lose them both if you lose one.
I'm not surprised nobody uses them.
The only practical application I can think of is some sort of central authority configuration like a corporation where yubikeys are given to employees.
I've got one on my keys, and one stuck in the back of my monitor.
sure, somebody could steal it, but I'm bit going to lose it
because printing out some recovery keys is so much hassle, or god forbid you have multiple 2fa methods like two keys and a TOTP authenticator app.
While I like my Yubikeys, they definitely aren't more convenient or intuitive for people who aren't accustomed to using multifactor authentication already. The webauthn spec [0] includes support for "biometric authenticators" and "platform authenticators" (e.g. the fingerprint readers with secure enclaves increasingly present on phones and laptops), and I think that has a real chance at improving authentication security across the board. Once Apple, Google, and the like start pushing "touch to login" via webauthn, people will come to expect that sort of convenience. And if all of your devices include these authenticators, adding a new device should be as simple as authenticating on one that hasn't been lost or stolen.
[0]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
> I bought a bunch of Yubikeys and tried giving them away like candy to friends and family. I couldn't even give them away; people still weren't interested, including several developers (!).
My problem is what if I lose it. I know there are ways round it, but it's a layer of complexity passwords just _don't_ have. That's enough of a hurdle for me.
I save all the seeds for 2FA in a separate keepass db & just rescan it on new phone whenever needed. Also, as last time I got an iPhone, I just made a simple javascript local script to paste that CSV seed data into it & click generated links to auto add those to Google 2FA App, https://davch.gitlab.io/dms/otp.html
My phone number is still all over the internet - thankfully from the previous owner and their personal information. I have had this number for 12 years now
One thing I recently did was sign up for Google Voice, then move all the sites that insist on SMS authentication over to that phone number.
In addition to (hopefully) cutting down on spam calls, it's much much harder to hijack my google account than a cell phone account
(Just be sure to turn call and text forwarding off)
Which is great until you post a video on YouTube with copyrighted music in the background, and the algorithm decides to lock you out of all your Google accounts.
Or you store legal files on your gdrive that Google thinks violates their policies and bans your account.
I have a separate account for Google Voice that I don't use for anything else.