🦿 Lucian Marin If they add a first factor (4 digits PIN code) and this second factor (cnet.com/news/yaho...), then we won't have to remember a password ever again. The PIN code is a weak link, but doesn't do much without your phone. Your phone is a weak link, but you won't get the SMS without the PIN code. Chained together they're almost stupid and fail proof.

Martijn SMS is a very open protocol, and actually isn't treated as safe by many security researchers. If they know your phone number and guess the 4 digit PIN, chances are you can be cracked. Not to say multi-factor authentication isn't the way forward, it totally is! Google Authenticator might be a solution, while we keep waiting for FIDO.

🦿 Lucian Marin It depends on implementation. Generated code sent as SMS can be time sensitive (30 mins availability window), based on your location, IP or other specific data. So, even if someone knows the PIN code, they have to own your phone too. Also, there should be a quick way to disable the account if someone has access to both.

Martijn SMS has loads of attack vectors. Cloned SIM cards, mobile basestations to alter your phone signal, MITM attacks. We know a lot of these things from the internet and WiFi, but truth is they can often be applied to cellular networks as well. An email send to your phone over SSL might be more safe than a text message, though I am no expert. Of course these attacks are a little hard for non-government parties, but if all banks use it criminals will quickly get in on the market.