No, it's not, and it's fucking annoying to deal with. I am on my desktop computer, stop sending me to my phone just to log in because you don't want to support FIDO or some other form of real 2FA. There's a fingerprint reader on my laptop, face id on my phone, and a yubikey in my USB. Fucking use it
Hey look, a bunch of disjointed, vendor-specific non-standards that become impossible to support. Imagine some hapless Filipino support agent trying to explain to an irate customer their YubiKey drivers are borked.
I don't know about the windows side of things, but on Mac I imagine there's just one fingerprint API to support, same with face id. Yubikeys either work or get their drivers from the cloud like most other devices nowadays. I also dont know much about what android has, but I would be suprised to learn if there wasn't native support for the various standards that are in place today, even if manufacturers aren't using it.
I switched this off by choosing the wrong answer to some vague prompt and could never figure out how to re-enable it. Assuming it's like the many iOS settings that can be reverted only by resetting the phone to factory defaults.
It doesn’t work on all sites and apps, which is an annoyance. Why it can’t intelligently offer the SMS OTP when a user is just waiting on an input field and an SMS comes with a code is beyond me. They should be able to decipher the messages, regardless of variations in formats, and know the code.
BTW, the setting to enable or disable this seems to be under Settings->Passwords->Password Options->AutoFill Passwords and Passkeys. Turning it off and on may also work (as these things tend to behave across devices and operating systems).
The problem is customer support load. Also what does the company do about those without a smartphone? No smartphone no service? This is why businesses peg account authentication to phone numbers. It offloads IAM overhead to phone companies.
Who cares. Spend the money on customer service people then. Companies don't need all the profits they make and investors dont need their 10000x returns when 9900x will do just fine.
Here we are on a website centered on an industry that has "solved" customer support by having zero live support. It's RTFM (or FAQ). Sometimes even paying customers get this treatment.
What happens when they smash their phone and now you have to do account recovery? With SMS authentication you can presumably offload that to the carrier.
Far far more people have a biometric reader or smart token than have a cell phone.
Smart phones are obviously phones and have biometrics. What you're left with is comparing the number of people with non-smart phones (~31 million in the U.S.) to the number of people without smartphones but who have biometric tablets, Windows Hello-enabled computers, PIV cards, etc.
Do you have statistics on the number of people who do not have smart phones but do have these other devices? I am not sure the intersection is as high as you imply.
The only people who don't use smartphones and don't have an iPad or similar tablet and don't have a recent computer... probably don't benefit enough from 2FA to justify the risk of account lockout.
In my social circle, the people who don't have smart phones are:
- People with disabilities that make reading from a small screen or texting a lot impractical.
- People who work in harsh environments who want something more rugged than a device made out of glass.
- People wary of the distraction of carrying around an entertainment device.
All of these people except one also have an iPad (especially the first group, as the larger screens help a lot). The one who doesn't does have a Dell XPS 13.
I would wager the number of people in the US with a smart token (I’m assuming you mean something like a Yubikey, ≈22M worldwide, most users have two) is probably close to 1:1.
I would also wager the number of people with dumb phones are close (but not as close) to those having computers without any biometric capabilities (and if they have them, they’re not set up).
