tlb parent
I wonder what the companies requiring 2FA think about uncompleted 2FA bounces. Deterred fraudster? Short attention span? SMS sucks?
Every second SMS authorization does not reach my phone. Just yesterday I couldn't log in to my GitHub from new computer, because my phone did not receive authentication code. I didn't have any bans because of that. I think that a lot of people experience similar problems, so it makes no sense to look for fraudsters, 99.9999% will be false negatives.
There's really no reason to use SMS 2FA for GitHub though, you can literally pick anything else.
Anything else could be lost. I can always get new SIM card for this number. I don't need to backup it and I can't accidentally delete it. That's the biggest reason for me to link phone number everywhere. I'd hate to lose access to my GitHub account.
I don't see how I could simultaneously lose my three hardware keys (laptop, phone and Yubikey) and backup codes.
It's also not very hard for scammers to get a SIM card for your number, unless you're using a carrier that specializes in not allowing SIM swapping attacks.
That's why 2FA is called 2FA. It should require two factors. SMS + Password, for example. So scammers would need to steal both password and perform SIM swap, which hopefully is a bit harder.
I dislike SMS 2FA and services that use my phone number as a stable identifier, however SIM swapping is not really a thing in most countries.
I implemented 2FA at a previous job and I was responsible for the production implementation working as expected. My thoughts were that uncompleted 2FA attempts are common for a number of reasons: typos, someone gets distracted, didn't have access to phone at the time, SMS sucks (either our sending side or the receiving side), etc. I didn't put much thought into it beyond that. (Should I?)
I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.
I assume it shows up as a hAcKErS sToPpEd figure in a quarterly report where they pat themselves on the back for it along with CAPTCHA hassling, blocking browsers that are too secure, network address bans, popups about "passkeys", forced password changes practically every login, etc. If they had any sense they wouldn't be pushing this nonconsensual trash to begin with.
I do not know but I am given a code via SMS for each operation, and each SMS costs more than what a regular SMS costs like, so the bank often deducts quite a lot of money from me for "SMS fee".