1) By definition, if your 2FA device gets stolen, you’re screwed anyway. Goodbye Authenticator. At least with SMS you can get the same number by contacting your carrier.
2) Roaming. Often free to receive texts abroad.
3) True
4) True, but it’s easy to keep it active assuming you at least have data on it
5) True, but it can cost peanuts with the right setup. I’m holding onto my European and Thai SIM cards with less than $5/year. My Google Voice number is free since 2009.
I agree I’d just prefer using Authenticator and Passkeys, but let’s not lie about the advantages of SMS.
Google have not been very good with that. For a long time they didn't back up at all which meant if you swapped phones and didn't manually copy over you lost the codes. Now if you click the default OK button if copies all the codes to Google cloud which is ok if you don't have much money being protected but if you do there's a vulnerability that hacking your Google account gets your TOTP codes and probably passwords if you save them in Chrome. I'm currently in that situation and will probably shift to some other provider so it becomes two things to hack rather than one again.
The problem is logging into your Google account without your 2FA device or phone number.
The answer in all these cases is having more than one option enabled. I just recently tested my Google and Apple login simulating a loss of phone and computer. It was tough but there are options (e.g. Apple lets a friend be your full 2FA, so you can even recover encrypted data)
I always back up the codes for the Google Auth stuff. They are just strings like VN3WBOTLQZUDFIWG You can put them in a doc / email them to yourself / whatever.
I have a huge issue with the phone becoming one’s identity.
I often see couple’s using each other’s phones and knowing each other’s passcodes. I’m not sure I could ever trust someone that much. I don’t think I’d even give my passcode to my own mother, and she’s never given me a reason not to trust her.
The worst part about it all is that it’s not opt-in. They just randomly start using SMS as 2FA. If I were to change phone numbers, I’m not sure what I’d even do. How can I change to a new number without control of the old number to get into my account? What happens if I miss one, because they randomly decide to use 2FA on an account I didn’t think to update? It’s a really bad system all around.
I don't know. I like when my ISP or power company let's me opt-into texts about outages and provides periodic updates (as long as you can reply STOP).
I was on a 2 week camping trip and a nasty storm rolled through my home state. Power went out for 5 days and I wouldn't have known if it wasn't for the SMS notifications. I immediately cleared out my fridge and freezer when I got back.
Notifications are fine, what I mean is more things like verifying it is your account, forgot password etc.
Anything tied to material account actions shouldn't have anything to do with SMS.
Flight delays or notifications of works in your area etc won't lead to account takeovers or denying access to your account - but the way many companies use SMS can potentially lead to this.
I think it’s fine as long as an email is always collected.
This way if the phone is compromised your email is still there.
As far as convenience goes it is convenient in actual practice as an end user. I’m sure even if 1% have this issue that’s billions who are not. It’s cheap and it’s convenient. Your phone gets the message and autofills.
You don’t need to switch apps to check email or something. And your account will always be recoverable as long as your email isn’t compromised. If you lose your email I mean that sucks. But that happens anyway and it’s why people should rotate passwords and set up MFA.
Security can never be 100%. That’s just a fools errand. It should be convenient enough and secure enough that it works for as many people as possible.
Literally everyone else outside of HN doesn’t even care or understand. They don’t need to. Just use the apps to do your thing and move on.
-- edit --
I updated the first line to clarify that I'm not talking about one-off notifications etc.