I'm starting to think SMS-2FA might be a cult.
Conversation
Unpopular opinion, even though it's not as secure as other methods, I'd still prefer it for many of my logins where the data is not super sensitive to me.
It's easy, needs no additional hardware or app, and works on a simple b/w phones as well with text functionality.
1
6
Multiple, I have faced the dreaded scenario when I had my authenticator app configured with multiple accounts, factory reset my phone, restored the titanium backup of the app, and that restored the accounts, but TOTP were invalid.
Took me some days in recovering those accounts.
2
And then, believe it or not, some people do exist who don't use a smartphone, and only have a basic phone for calls and text, but still use services for bank accounts that use OTPs. You wouldn't want to argue with them to buy a smartphone and use a TOTP option.
1
idk, if I were to make a dumbphone, TOTP would be among the first things I implement (although I indeed don't make them). Also, if you're talking about old dumbphones, there's a Java ME authenticator: totpme.sourceforge.net
Having in the past been involved in a multi million user IdP where TOTP was deployed for some usecases and SMS for others. TOTP is a horror, low enrollment success, many usability problems, horrible recovery, much help desk burden. SMS has problems but TOTP not the cure.
1
2



