While SMS as a true second factor is an increase in security, if the 6-digit code in an SMS can often reset a password entirely, I would argue security is actually decreased as the password can be bypassed entirely and the 6-digit number serves as a single factor for authentication in place of the password.
The ability of hackers to hijack a SIM or intercept an SMS is becoming increasingly mainstream. Replacing a secure, multi-character password with a 6-digit number sent over the air to your phone number (not even your phone, but your phone number, an important difference) is arguably a significant decrease in security.
Many sites now request your phone number before enabling 2FA and silently install it as a reset method, so as you're enabling an app-based 2FA approach which would add security, the site is silently setting up a 1FA security method behind your back, allowing a text to bypass your password and 2FA entirely. Paradoxically, by enabling 2FA many places, you are actually switching to 1FA and making your account less secure than a password alone.
I'd like to see a column added for sites which do this and how to remove your phone number as a single-factor reset method. Offenders I'm aware of: Twitter, Wells Fargo, CreditKarma, Microsoft, Google.
While SMS as a true second factor is an increase in security, if the 6-digit code in an SMS can often reset a password entirely, I would argue security is actually decreased as the password can be bypassed entirely and the 6-digit number serves as a single factor for authentication in place of the password.
The ability of hackers to hijack a SIM or intercept an SMS is becoming increasingly mainstream. Replacing a secure, multi-character password with a 6-digit number sent over the air to your phone number (not even your phone, but your phone number, an important difference) is arguably a significant decrease in security.
Many sites now request your phone number before enabling 2FA and silently install it as a reset method, so as you're enabling an app-based 2FA approach which would add security, the site is silently setting up a 1FA security method behind your back, allowing a text to bypass your password and 2FA entirely. Paradoxically, by enabling 2FA many places, you are actually switching to 1FA and making your account less secure than a password alone.
I'd like to see a column added for sites which do this and how to remove your phone number as a single-factor reset method. Offenders I'm aware of: Twitter, Wells Fargo, CreditKarma, Microsoft, Google.