While SIM swapping is certainly a concern, this article makes it sound like it's universally bad to rely on phones as a form of authorization. What are the alternatives? I'd argue that email is far riskier; it's more commonly compromised, easier to compromise, and less visible when compromised. Ideally, users employ more secure 2FA methods like TOTP apps or dongles, but it's like pulling teeth to get anyone to adopt those. Relying on SMS in addition to email is better than relying on either one in isolation. I don't think I agree that Google Voice numbers are necessarily harder to hijack, because to do that they just need access to your Google login (typically your email credentials).
There are risks all around, but this article doesn't offer any good solution that customers are likely to adopt in meaningful numbers. Maybe PayPal and other companies should require people to use secure 2FA, but they'd lose too much business.
U2F can't spread fast enough. For about a year or so it's been good enough that almost all U2F keys Just Work on all major browsers / platforms without installation or tweaks. That's huge, and it's actually a relatively recent state of affairs. I believe Firefox defaulted it to enabled ~1 year ago.
The next big hurdles are getting support from e.g. banks, getting keys into peoples' hands, and getting people familiar with them. Those efforts are underway in the corporate world and I am optimistic that they will cross-pollinate well into personal security. HN-ers are well positioned to help with all of these steps.
People already accept that they should lock their front doors and their cars with keys. Most people already lug a keychain around. I don't think it will be steady-state problematic to convince people to secure their bank accounts and email with keys. Example: my parents. I expected it to be difficult to convince them that they should use a U2F key to secure their gmail. It wasn't. Their response was more along the lines "of course we should use keys, why weren't we doing this before?" They don't know anything about crypto, but they get the metaphor, and since it gives them a clear path to action, they are willing to engage with it. The answer to why we weren't doing it before is that the previous implementations were a PITA in a way that U2F isn't (TOTP was slow and fiddly, ISO7816 required non-portable setup), but now that we have U2F, I think people will be more willing than many here expect.
If we can channel the fear of SIM swaps into U2F adoption, I think it actually stands a chance.
I think the ultimate problem here is that the average person has no hardened mechanism for authentication. Using the infrastructure we have today, a combination of passwords and OTPs is better than other consumer-accessible alternatives.
Ultimately we need some mechanism for trusting and administering identity that is low friction and which can be used by 99.9% of users. The government offering a `login with apple id` like service would make sense. Then they could qualify various security chips, like the T2 or a YubiKey for use with the service. As an added benefit, we could stop using stupid things like SSNs, tax ids, and drivers license id numbers to prove identity.
Eventually we could do interesting things like abstracting mailing addresses. Instead of mailing a package to my street address, send it instead to "me", and then I can authorize USPS, UPS, FedEx, or whoever requests it to look up my real address when they are sorting and delivering mail. When I move, I just update the _one_ database with my new address and I am done.
There are some obvious concerns with the government acting as a clearing house for identity. Perhaps the better option would be for private companies to be able to implement some sort of standard API, and limit the government's involvement to auditing these services.
TOTP apps are fine, if they're properly implemented (either completely on-device, or properly encrypted before stored in cloud). Services should properly implement account restoration codes if access to TOTP secret is lost. SMS should never be used for 2FA, ever.
There are some apps that if my TOTP secret is lost, as horrifyingly annoying as it would be, I'd much rather need to take the time to get a registered public notary to stamp that they saw me in person, and checked my ID or other such documents, before the account recovery process can begin.
The "old ways" are usefully slow, have protections built around them for centuries of our culture, and I'd rather the annoying administrative headache and "slow" over the quick abuse of account recovery systems for theft and fraud.
Email might get compromised more often, but that's usually due to some kind of user error. The problem with these sim swapping attacks is that the only way as a user to guard against this is not to give the company your phone number. This often means that you can't do 2FA.
There are risks all around, but this article doesn't offer any good solution that customers are likely to adopt in meaningful numbers. Maybe PayPal and other companies should require people to use secure 2FA, but they'd lose too much business.