I think the worst is when companies force you to leave SMS on as a fallback.
On stripe, I use a security key. Someone has to either steal my keyring, or steal my backup key.
But I'm force to leave SMS on as a fallback, so really, the weakest link is there, and a potential cracker only needs to break this extremely fragile insecure system, and completely bypass the security key.
So is stripe liable for your account being compromised due to SIM hijacking? The telephone companies claim they're not liable, and you certainly aren't liable, so who is?
This smells similar to banks not needing to check check signature anymore.
Even worse is when companies force you to use SMS as the first and sufficient authentication factor. EDF (the biggest European electricity provider) does that in France.
On stripe, I use a security key. Someone has to either steal my keyring, or steal my backup key.
But I'm force to leave SMS on as a fallback, so really, the weakest link is there, and a potential cracker only needs to break this extremely fragile insecure system, and completely bypass the security key.