I think it's security by popularity: You can't be blamed if it's "industry standard". Meanwhile it's 10x less hassle than trying to get people to use an authenticator. Passkeys aren't perfect privacy wise (and everything google touches is suspect), but they are easy.
Not only that, but mandatory authenticators would also create a support (and security) nightmare the moment you stepped out of the upper-middle-class, privileged tech worker world.
They work great if you assume that everybody has a smartphone (as opposed to a feature phone), that they don't have their phones stolen every other month, that they know how to set up an authenticator app, that they'll remember to reconfigure everything properly when migrating to a new phone and won't immediately throw the old one away and so on.
This problem is made even worse by the notoriously bad UX of most authenticator apps, notably the lack of automatic iCloud / Google Drive backup functionality and their inability to automatically show the code on screen whenever it's needed.
The nice thing about SMS is that you can outsource most of the support burden to carriers, which have to handle it anyway. Carriers have the advantage that they usually speak the user's language, have an office relatively nearby, and can verify your government ID in person if need be.
> They work great if you assume [...] that they'll remember to reconfigure everything properly when migrating to a new phone and won't immediately throw the old one away and so on.
This would be a terrible assumption even for upper-middle-class people!
Did the carriers agree to take on this role of securing SMS messages for authentication? If I were a carrier, I would be actively fighting this nonsense.
The carriers basically have to do this anyway, one way or another, because people want to get their phone number back when something bad happens to their phone. This would be true even without SMS authentication.
A part of it is mandated by regulation, most countries require carriers to let their customers port their phone numbers out. When handling those port out requests, they don't necessarily have enough data to decide whether the request is legitimate or not, yet refusing such requests too often would draw the ire of regulators, which is something no carrier wants.
How secure do they need to be? It's a single ephemeral factor. Every cell tower a numbers station. Sometimes I relay my OTP code to my friends in FB chat if I think the number has cool properties. I don't tell them anything else about the sign-in, so my self-breach has a rather limited risk factor. Didn't that LifeLock guy advertise his SSN everywhere?
I'd say reliability counts for more in these cases, and SMS was designed for unreliability, like UDP. So I'd be more concerned about the relationships and gateways from MFA services to send out their codes, and ensure that they can be received in a timely fashion. This message will self-destruct in ten minutes.
> "You can't be blamed if it's "industry standard".
Thankfully, that's not true. Class action lawsuits can and
do successfully target widespread industry malpractice. My first job out of college was as a paralegal, helping over 90 million American plaintiffs sue nearly every major life insurance company in the country for the previously common "standard behavior"
of insurance agents convincing policyholders to periodically "roll over" their accounts, to the sole benefit of the agents and their employers. The settlement payout for each participant was typically meager -- but the malpractice was stopped.
> If Payoneer was using sms based auth codes, then it was clearly Payoneers error for doing something so incredibly stupid.
It's sort of ironic that the Krebs article indicates that these dudes were specifically targeting the "most secure" OTP methods we know: authentication apps, rather than SMS or email codes.
They were simply using social engineering and human trust to bypass the industry's best technical practices.
SMS and email are side-channel communications, so the attacker would need to intercept them, and hopefully suppress the legitimate receipt as well. I'd get kind of worried if my bank sent me an unsolicited code. But a consumer may be more credulous when their "bank" calls in to request one from them...
