2FA is an abbreviation for "two-factor authentication" means that to authenticate a client, you require two of the three factors: something secret that they know, something they physically possess, and something they are (biometrics). It's important that you require both of the two factors to authenticate, not either of them. Email and phone numbers are not even one of these three factors, so not only are they not "standard methods of 2FA", they aren't methods of 2FA at all.
Someone who claims they are using 2FA, but actually authenticates with email and/or phone numbers, is committing fraud.
Even if, for example, a phone number were something you physically possessed, authenticating with only the phone number, or with the phone number plus any number of additional physical possessions, wouldn't be 2FA, because you're still only using one factor: "something you have".
Historically, voice-based biometrics were a valid form of biometrics, even without a trusted path: you could prompt someone to say something they hadn't said before so that an attacker couldn't play back a recording. That is no longer the case. As https://news.ycombinator.com/item?id=29712024 pointed out, Tacotron made this a plausible threat already in 02018.
What do I expect bank employees to use? Well, starting 34 years ago in 01987, classified voice communications used a STU-III, which authenticates both parties with public key certificates. PGP made that level of security available to everybody 30 years ago in 01991; Git uses it to sign tags, and Debian uses it to sign packages since 02005: https://wiki.debian.org/SecureApt. Every HTTPS website uses something similar, though browsers routinely trust untrustworthy CAs, which vitiates the security of the scheme.
While we can't expect bank employees to be as technically sophisticated as Debian volunteers, I do think it's reasonable to expect them to be less than 15 years behind, particularly when tens of millions of dollars are at stake. I don't believe that this will actually happen with the existing banking institutions; instead, I believe that they will fail and demand bailouts, which will just expand the scope of the disaster.
> Someone who claims they are using 2FA, but actually authenticates with email and/or phone numbers, is committing fraud.
OK. I'll send you the list of all the companies that have done 2FA with me via email or a telephone number, and you can hit them up for fraud. Good luck! /s
I'm trying to figure out why you write dates with a leading zero. I can't think of any practical reason. Am I missing something or is it purely a stylistic choice?
Someone who claims they are using 2FA, but actually authenticates with email and/or phone numbers, is committing fraud.
Even if, for example, a phone number were something you physically possessed, authenticating with only the phone number, or with the phone number plus any number of additional physical possessions, wouldn't be 2FA, because you're still only using one factor: "something you have".
Historically, voice-based biometrics were a valid form of biometrics, even without a trusted path: you could prompt someone to say something they hadn't said before so that an attacker couldn't play back a recording. That is no longer the case. As https://news.ycombinator.com/item?id=29712024 pointed out, Tacotron made this a plausible threat already in 02018.
What do I expect bank employees to use? Well, starting 34 years ago in 01987, classified voice communications used a STU-III, which authenticates both parties with public key certificates. PGP made that level of security available to everybody 30 years ago in 01991; Git uses it to sign tags, and Debian uses it to sign packages since 02005: https://wiki.debian.org/SecureApt. Every HTTPS website uses something similar, though browsers routinely trust untrustworthy CAs, which vitiates the security of the scheme.
While we can't expect bank employees to be as technically sophisticated as Debian volunteers, I do think it's reasonable to expect them to be less than 15 years behind, particularly when tens of millions of dollars are at stake. I don't believe that this will actually happen with the existing banking institutions; instead, I believe that they will fail and demand bailouts, which will just expand the scope of the disaster.