True, I mean the OATH standard / RFC 6238 style ToTP, which runs on generic hardware (a smartphone or PC).

I agree with you completely that those are totally insecure. However, 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme. Before this there was little incentive to hijack phone numbers. No longer is that the case.

Having a phone number is not secure in any way, proves nothing, and offloading security onto a totally insecure system such as the possession of phone numbers was a massive cop out and completely irresponsible.

Maybe as you say there are 2nd factor schemes that don't use phone numbers but it hardly matters since the term 2nd factor has unfortunately come to mean phone numbers in the vernacular.

> 2nd factor as a dictionary vernacular term has become synonymous in the press with a telephone number and some sort of texting scheme

I don't think that's true. Both my bank issues hardware tokens for challenge response type authentications, these are widely in use and understood to be 2fa, the same goes for many other services.

It's a typical case of all cows are animals but not all animals are cows, I've yet to see the press categorically making that kind of mistake for 2fa, though I'm sure there will be some offenders on the whole people - and the press - seem to know the difference. And it's up to us to correct these things where and when we see them so if you do spot an article that incorrectly labels SMS as the one true 2fa then you should mail the author or the editor to get them to correct the record pointing out that they are perpetrating a fallacy that could cause their readers to be at risk.

This is not as far as I can see a lost battle - yet.