You may have read by now that the age of SMS-based 2FA (two-factor authentication) is over and that there are better 2FA technologies out there. For example, authenticator apps, Yubikeys, etc.
There is a mix of truth, unfair generalization, and marketing in those articles to spin them in favor of each author’s varying motives.
What if I told you that you can look at security as a multidimensional concept?
People make security decisions based on the value of the entity they want to protect, the threats to the entity, the probability of those threats, and the trade-off in inconvenience incurred.
If you are like most people, you will choose a mortise lock with a key for your house, but a combination lock for your gym locker; the value of the contents of your house is worth more, the threat of theft in your fancy gym is less, and you prefer the convenience of not having to carry an extra key on you when going to the gym.
Extrapolating the same logic, the SMS-based 2FA used to protect your ride-sharing account, such as Careem, Uber, etc., may be sufficient for a user compared to the mechanism required to protect his or her Bitcoin account. The former has less value; it has fewer credits, with the credits further restricted to ride-sharing.
We can extend this argument to an extreme scenario where a web service lowers its security protection to zero, and yet offers to reinstate any stolen user credits. The credit reinstatement policy transfers all the user’s risks to the web service itself, and gives the user clear assurance about the ‘security’ in place, despite there not actually being any security in place.
This escalates the risks and the potential losses due to credit reinstatements, but these could be offset by the increase in revenue due to the upsurge in new users. One can easily reason that in a scenario with SMS-based 2FA, any losses incurred by credit reinstatements is surpassed by a healthy growth of user revenue.
In such a win-win situation for both the web service and users, who has the right to tell either of the parties that SMS-based 2FA is obsolete?
SMS-based 2FA also offers a unique proposition – it enables the web service to verify the user, as well as acquire a sticky and unique user identity (phone number) in a single swoop. This gives the web service a reliable channel to get the user’s attention. SMS are more likely to be read by the user compared to app notifications, and unlike apps, the phone number is more likely to stay with the user despite multiple phones switches. Check out this article on SMS vs. Push vs. Email to see when you should be using each delivery method.