Getting a second opinion is a great idea in both medicine and end-user cybersecurity. Two-factor authentication (2FA) and multifactor authentication (MFA) are powerful tools in the fight against all kinds of cyberattacks that involve end-user devices and internet-based services.
There’s just one big problem: It’s far, far too common for people to use text messaging as the second factor. That turns phone numbers into digital identity devices — a role they are poorly designed to play. If someone loses a smartphone or has it stolen or taken from them, they also lose their access to authentication. Worse, the attacker can transfer the phone number to another person, who will now receive authentication requests.