The beauty of it is cases like Google's. They have this bizarre 2FA security-theater Google Authenticator thing, but then nearly force everyone to have their phonenumber as a "backup device".

Guess what the send you when you forget your 2FA or password? Yep, an SMS. So out the door goes the whole point of 2FA. Your three factors (account name / email address + password + Google Authenticator) have now been reduced to one factor: your email address.

I can rent a mobile tower in Malaysia or some other asian country, advertise your phonenumber as roaming there for about €10/h and start intercepting all your shit. Or just get your telco's inept service dept to forward your number somewhere else.

Lessons here:

1. Even the giants get it wrong. 2. There is no security anywhere in the tech world. Literally everything is broken. Your electronic car locks / starter system, your phone, your internet, everything is horribly horribly horribly broken beyond any imagining, even for hyper-tech savvy people. 3. Remove your phonenumber as a backup device from your google account and never use it as a backup device every again.

Once you add another factor you can remove SMS from your Google account. I’ve done it with all of mine.

Edit: Oh, you said that.

I just removed my SMS from Google auth, thanks! And set up an Authenticator (Azure). I would like to see a world where we start removing SMS (and old passwords) from existing accounts.

This is why the recent NIST guidelines on 2FA explicitly discourage using SMS. (Search for ‘SMS’ in the document: https://pages.nist.gov/800-63-3/sp800-63b.html)

Not nearly as many people know how terrible ss7 is and the lack of security/pki/crypto in old-school traditional telecom. It is also a lot more opaque to learn and has higher barriers to entry, and is a very clique like club of "Telco" people.