Okta architect here. It's hard enough getting MFA to work in a large organization where technically illiterate people are surrounded by coworkers to ask who have all figured out their RSA tokens or Okta Verify enrollment. Trying to manage this for the general public would be an incredible undertaking.
The cost benefit analysis probably does not make sense for a gazillion low balance users. It may make sense to enforce strong factors for high balance users. You have to balance that against them taking their business elsewhere.
In Europe all banks are using 2FA, and it's usually based on TOTP (and enrolling the first phone is a pain usually requiring QR codes and whatnot). 17 years ago some were using smartcards as 2FA. It's doable and secure, to the point that identity theft is almost unheard of (and usually used more as a synonym of catfishing than in the American sense).
SMS is handy but it should be a last resort rather than the main second factor.
I bank with a major European bank, and they still rely on SMS for 2FA for every online transaction, except for logging into their website. They offer 2FA through their app, but that only works with iOS or Android with full Google Play services---for non-Google folks running LineageOS or /e/ OS, they're stuck with SMS 2FA.
Yeah what I meant is that companies should propose other methods than SMS.
SMS can be good enough to confirm a password reset link that was sent by email (so you will not really do anything without access to an account's linked email address), but not as the main second factor for login.
This. Nerdy people don’t understand how much people struggle with this.
RSA enrollment is probably the single most challenging end user issue our IT folks deal with. After password reset it’s the #2 call, and lots of time, training and engineering effort has been expended to improve the experience. (And those efforts were very effective!)
So to sum up, an organization promising to take people's money and keep it safe can't afford to do it except for people with a great deal of money. However, they're still going to accept smaller amounts of money. Did I get that right?
Depends on how you define "keep it safe". If I give you $100 to keep safe, I don't care how many times you get robbed as long as I get $100 back when I want it. If I can get my money, it's safe.
When I went looking for an online brokerage in the USA with a reasonable login process (i.e. 2FA, not by SMS ever) it seemed pretty hard to find one. (Maybe that's changed?) These brokerages handle amounts much greater than a software engineer's retirement savings.
I think the difference for me is the extent to which transactions are traceable, revertable, and regulated. The median reaction to theft in the cryptocurrency world is somewhere between "caveat emptor" and "ha ha, buddy, you fucked up".
For traditional finance, it's pretty different. E.g., "If fraudulent electronic withdrawals are made from your bank or credit union account but your ATM or debit card is not lost or stolen, you are not liable if you write to let the bank or credit union know about the error within 60 days of when they send you the account statement showing the fraudulent withdrawals." https://ovc.ojp.gov/sites/g/files/xyckuh226/files/media/docu...
But could one simply take the secret when initializing the app and stick it in another, like andOTP? My employer told us that the corporate intranet required we use Google Authenticator, but when I try other OTP apps, it still works.
A decent point. It scares me to imagine all the security checks that would be required to make SMS actually secure against these kind of attacks, and then getting everyone to actually follow them.
The cost benefit analysis probably does not make sense for a gazillion low balance users. It may make sense to enforce strong factors for high balance users. You have to balance that against them taking their business elsewhere.