They already support other forms of 2FA, so I guess you mean they should turn off support for SMS. Keep in mind that for many users the alternative is no 2FA at all (they don't browse HN and Krebs), which is much, much worse.
Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.
What they should be doing, is to subsidise YubiKeys to their high-value customers.
Not just to lock down the logins to Coinbase, but to also secure their customers' email, Twitter accounts, and as many other online systems as would support hardware backed WebAuthn. Hell, PokerStars did this with RSA tokens back in 2008 so it's not like it's a new idea.
Yes. You need NFC chipped phone and and NFC model YubiKey.
That also solves a major usability issue: instead of trying to juggle between a mobile application and a TOTP authenticator (on the same device!), or plugging in a USB adapter for authentication needs, you just quickly tap/wave your keyring next to the phone. Or take your phone quickly by your pocket when you need the second factor.
Which works fine until they buy a new phone and trade in or reset the old one without transferring the private keys -- and now you're locked out of your own account because you lost your second factor.
> and now you're locked out of your own account because you lost your second factor.
To verify someone's identity ("Identity Proofing") using Stripe Identity [1] costs ~$2. They support IDs from 33 countries, and have implemented fraud detection in the flow. If you were so paranoid as to defend against someone stealing your government issued ID (used in the proofing process), you could paper mail a OTP to physical address on file.
Does it suck and its the cost of no digital ID infrastructure in the US? Yes. Is it insurmountable? Not at all. At the end of the day, people are the weakest link, and we must fallback to meatspace trust anchors (in this case, possession of government provided ID that can be provided on demand with robust fraud detection mechanisms). You are who you are, and own what you own, not because of key material but because of the law.
Emergency single-use codes. They can be printed and stored in a safe. Not every service with 2FA has this feature, I have no idea why. How hard could it possibly be?
But then bad guy just logs in to Authy with the same stolen credentials because most normal people will probably use the same credentials for everything, including Authy. And arguably, the smartest tech-savvy folk wouldn't be storing their 2FA keys in the cloud like Authy anyway.
If your cloud account is protected by 2FA that's also in the cloud... it's turtles all the way down.
I'm not entirely familiar with coinbase, so is it really 2fa or is it 1fa in that you can use SMS as a recovery method when you don't know your password?
Wait, why should they accept customer funds if they don't think they can keep them safely? If somebody is saying, "Let me hold on to your money for you," it seems like a minimum bar is them being pretty sure it's not going to go anywhere.
You can change your phone number by re-validating your identity. During the 2FA step when logging in, you can click on "I need to change my phone number" (or similar).
Coinbase does allow SMS to be turned off. I did that on my account. When SMS is turned off, and when a U2F security key is the only 2FA you configured, if you lose the security key the only way to recover the account is to contact their support department and provide a photo of yourself holding your ID.
Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.