The most infuriating auth-related thing for me is the companies that insist on doing phone-based 2FA. I'm inextricably linked to my specific phone number at this point in a way that previously was only an issue with my email address.
This is a beautiful catch-22 because when you can't use your SIM is also when they decide your location is too different and you must be reauthorized. The same for anti-fraud text messages, which are nice when you're home but useless when you're out of country.
I was thinking this with my health insurance website (which uses SMS 2FA), and I realized the problem is you can't expect your average Joe to know how to manage a TOTP 2FA correctly.
SMS might not be the most secure, but it's probably better than 1FA, and absolutely everyone can use it. Enter your number, receive text, boom.
There are other options though Couldn't a health insurence company make an app? Or do SSO trough google and such? Webauthn is really easy!
Controversial opinion: If you are given all these options and you cannot/refuse to use them, you shouldn't manage your insurrance trough the web. Either you are wholly computer-illiterate, deeply misinformed or you are not educated enough to use it safely.
Of course, the main issue is that companies only give SMS 2FA as an option, or only one other, like the App method, which forces users without phones to fall back to SMS. Worst part is that especially financial institutions are guilty of this.
Yep, and this is because sim-jacking is actually less profitable than just finding records of people’s _past_ phone numbers and signing up for a voip service that supports sms for that number. And many of the voip providers just don’t do any kind of fraud prevention.
Source: I work at a place that is a natural target for this kind of thing.
I had that issue when I left a (15+ year) job with a company that owned the phone number I'd been using for both work and personal. Justification being that this was waaaaay back when mobiles were just becoming ubiquitous; Nokia 3310 days.
Not just the hassle of re-connecting the accounts, but even knowing which ones were inextricably linked to the phone number to which I no longer had access.
(I think I could have requested the number personally, but I wanted to make a clean break, and having a new phone number meant I was much more difficult to contact for any legacy issues I no longer cared about - double-edged sword)
