SMS 2FA binds to your phone number, not you or your phone. Nobody is going to intercept SS7; they’re going to call a phone company and port your number to their phone.
This isn't a "perfect is the enemy of the good" scenario, which is what I think you were trying to argue. For that to be the case, there would have to be some good - and I claim there is none, maybe even a little harm (false sense of security, used as ineffective stopgap, etc).
-
-
My thinking is that non-U2F is still valuable for less “phish prone” users...would u agree? In other words, if u combing 2FA w/security Awareness Training, perhaps the sky is not falling?

-
I think security training would be useful with or without 2FA. If someone is vulnerable to phishing, 2FA doesn't change that. If they're not, then 2FA is (at best) not very useful. IMHO, 2FA is slowing down U2F adoption, because people (incorrectly) think it's "good enough".
End of conversation
New conversation -
-
-
One more thought/question: take GMail for example. Even with Google Authenticator, SMS is a backup option. If non-U2F is security theater, any ideas what’s the logic behind the offering?
-
*If non-U2F MFA options are security theater
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.