I refuse to have a phone line. I only get one for a month when I’m looking for a job. Got tired of paying a subscription fee just to get spam calls. All my communication is done through messaging apps and the only time I don’t have access to wifi is when I’m driving.
That still requires getting personal information about the user, which is often enough without 2FA. 2FA still makes it more secure than not having it. It’s still a vulnerable step though, so users should be aware of that.
Just a heads up, you can get a free phone number from Google, and probably other providers. If you’ve got a computer of some kind and an internet connection, you can make calls and texts from there. If that’s all you’re getting a phone for, don’t bother with the actual device.
I don’t know about Google’s “free” numbers, but third-party VOIP numbers are usually blocked for 2FA verification. I’ve tried that. Most places won’t accept it, because they know you’re trying to get around the tracking. The 2FA isn’t the point, and the cost of the phone isn’t the point, the tracking is the point, and Google’s “free” numbers are absolutely tracking you just as effectively as any telecom is.
Google Voice user for 15 years and I’ve had about 3 instances where my number wasn’t usable for 2FA, mostly because, to your point, by the time companies that care about security learned about voip #s they realized they are mostly used legitimately and sms was insecure anyway. Luckily I found a great FOSS auth app, which I prefer to sms anyway; especially if traveling I don’t have to depend on a mobile connection to be able to complete 2FA.
Probably SMS or in-app 2FA. That’s what annoys me about banks: they claim to do things for security – which in their case it makes sense because they don’t need to harvest data to make money – but then go ahead and roll their own instead of using standards.
Why?
I refuse to have a phone line. I only get one for a month when I’m looking for a job. Got tired of paying a subscription fee just to get spam calls. All my communication is done through messaging apps and the only time I don’t have access to wifi is when I’m driving.
And because SMS 2FA is actually opening a common attack vector. I have yet to find a credit union I qualify for that uses TOTP or Yibikey.
That still requires getting personal information about the user, which is often enough without 2FA. 2FA still makes it more secure than not having it. It’s still a vulnerable step though, so users should be aware of that.
Start talking to someone at the credit Union. They are run by people, you might be able to convince them the risk and implement a safer method
Just a heads up, you can get a free phone number from Google, and probably other providers. If you’ve got a computer of some kind and an internet connection, you can make calls and texts from there. If that’s all you’re getting a phone for, don’t bother with the actual device.
https://support.google.com/voice/answer/115061?hl=en&co=GENIE.Platform%3DDesktop
I don’t know about Google’s “free” numbers, but third-party VOIP numbers are usually blocked for 2FA verification. I’ve tried that. Most places won’t accept it, because they know you’re trying to get around the tracking. The 2FA isn’t the point, and the cost of the phone isn’t the point, the tracking is the point, and Google’s “free” numbers are absolutely tracking you just as effectively as any telecom is.
Google Voice user for 15 years and I’ve had about 3 instances where my number wasn’t usable for 2FA, mostly because, to your point, by the time companies that care about security learned about voip #s they realized they are mostly used legitimately and sms was insecure anyway. Luckily I found a great FOSS auth app, which I prefer to sms anyway; especially if traveling I don’t have to depend on a mobile connection to be able to complete 2FA.
Yeah, it isn’t good for 2FA, and obviously your data is being collected. If all you need it for is job applications though, it does that.
I use SMS Pool
Probably SMS or in-app 2FA. That’s what annoys me about banks: they claim to do things for security – which in their case it makes sense because they don’t need to harvest data to make money – but then go ahead and roll their own instead of using standards.