
Ask HN: Why is there no built-in authenticator app in iOS or Android? - kensdorf
2FA via SMS is known to be flawed, yet it is by far the most common method.  I think more sites would offer 2FA via authenticator apps if they didn&#x27;t have to ask you to download a third-party app.
======
ggm
The flaw is in number porting. Your phone number is not adequately identifying
because social engineering attacks can cause it to move.

If the device secure zone integrated with a google auth app or OKTA then for
Data, I think its a good choice. But SMS is not about that: its about the
attack on the integrity of your ownership of routing of the number to "you"

I suppose I am saying that with a trusted zone, and a secure credentials store
on the device, I too would have expected google authenticator to be built-in
to the google pack.

------
tristador
For Android, preinstalled apps are set by the phone manufacturer. I suppose
each manufacturer could pick their favorite 2fa app and install it. There is
some pressure not to install apps that the user doesn't need as it's
bloatware. I'm not sure what percentage of users currently use an
authenticator app.

~~~
kensdorf
Right, but the idea is that a lot more people might use this if more sites
offered it and it was a built in feature of the device.

