Gregory's ServerWhat sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.
|
4 comments
Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.  @matthew_d_green It also *should* be an open standard with libraries freely available in all platforms, and *should* be platform- and vendor-independent.  |
The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.