> SMS 2FA needs to disappear (or be relegated to a strictly optional, discouraged method) yesterday, and so does using a phone number as the primary user identifier.
A lot of the downsides are mitigated by using Google Voice as the SMS number, since attackers can't migrate your number away from Google.
But in general, I totally agree with you from a security perspective. I just think that it's a difficult thing to get people to use authenticator apps. Apple has resorted to baking the functionality into their OS.
That's what I'm doing, and it works fairly well – until I get to one of the many corporations regarding VoIP numbers as inherently insecure, and they don't let you use it for 2FA purposes... (Nevermind Google supporting robust 2FA for logins, and my phone operator not even offering 2FA for eSIM swaps.)
And that's disregarding the elephant in the room, i.e. Google inevitably pulling the plug on Voice at some point.
A lot of the downsides are mitigated by using Google Voice as the SMS number, since attackers can't migrate your number away from Google.
But in general, I totally agree with you from a security perspective. I just think that it's a difficult thing to get people to use authenticator apps. Apple has resorted to baking the functionality into their OS.