Why do you think sms "2fa" is suddenly so popular with banks and other fintechs,...

gruez · 2025-09-02T17:48:13 1756835293

Any business vaguely money related knows exactly who you are because of KYC requirements. They don't need to ask for you phone number when they already have your full name, address, birthday, and SSN.

inetknght · 2025-09-02T18:00:59 1756836059

> Any business vaguely money related knows exactly who you are because of KYC requirements.

They also will happily give your money to any thief pretending to be you, and then blame you for their mistake.

odo1242 · 2025-09-02T18:21:22 1756837282

The bank would be responsible for getting the user their money back under US law, actually - even if it was the user’s fault due to bad security

drozycki · 2025-09-02T20:14:53 1756844093

Victims can spend hundreds of hours over the course of years navigating corporate and legal bureaucracies before their account balances and credit scores are restored. The system absolutely makes a bank error the victim’s problem to solve. Guilty until proven innocent.

multjoy · 2025-09-02T18:11:23 1756836683

Unless you’re in a jurisdiction in which they’re liable for that mistake.

gruez · 2025-09-02T18:19:27 1756837167

I don't think there's any jurisdiction that puts the identity theft victim on the hook for fraud. Yes, you might get threatening letters or dings on your credit report/score while the issue gets sorted out, but that's not the same as being "blamed" for the identity theft, any more than someone wrongly accused of a crime is "blamed" for the mistaken identity.

immibis · 2025-09-03T10:46:08 1756896368

There's probably no jurisdiction that says the victim is on the hook, but plenty where the victim is on the hook by default and it's not possible for them to exercise their theoretical rights.

sealeck · 2025-09-02T17:49:13 1756835353

Try convincing your customers to all get a YubiKey... it's not fun. The majority of internet users are able to read an SMS on their phone and copy a code, however.

mahmoudhossam · 2025-09-02T17:53:30 1756835610

HSBC used to distribute hardware keys to its retail customers just a few years ago

supportengineer · 2025-09-02T18:01:26 1756836086

These keys eventually stop working, need a new battery, etc. Instead of the onus being on the customer to "pull" a new one of these keys, it would be better if you "push" them ( mail a new one proactively every January 1st, give a $20 one-time service credit for activating it, and $5 a month credit for continuing to use it )

dec0dedab0de · 2025-09-02T18:00:59 1756836059

I had a hardware token for paypal 20 years ago

int_19h · 2025-09-02T22:23:01 1756851781

They could at least have it as an option. But, for some mysterious reason, of all the services I need a login for, banks tend to be the only ones at this point that don't support it at all.

exabrial · 2025-09-02T19:47:52 1756842472

seems like a small price to pay to prevent coughing up literal millions in fraud payments every year

jacobr1 · 2025-09-02T17:47:13 1756835233

Passkeys are pretty new - most the major platforms didn't gain support until 2023.

myhf · 2025-09-02T18:03:08 1756836188

2023 was fifty years ago

mathiaspoint · 2025-09-02T18:03:57 1756836237

TOTP was definitely common decades ago. E-Trade for example supported it before KYC was mandated.

treve · 2025-09-02T18:19:27 1756837167

SMS 2FA stops enough would-be criminals and checks the compliance box. They don't lose enough money to sophisticated thefts to do something better.

patmcc · 2025-09-02T20:35:41 1756845341

SMS 2FA is good enough for most people most of the time. It's very bad at preventing high-skill targeted attacks against individuals, but it's perfectly good at preventing mass brute-force attacks.

It's popular because it solves the problem (not ALL problems, but the one they're trying to solve) and it's easy and low-barrier to implement and use.

sjapkee · 2025-09-03T11:55:03 1756900503

Passkeys shouldn't even exist