You must log in or register to comment.
USPS’ website does this, sort of.
If their text service is down it’ll let you know and just skip the 2FA process even though normally they offer an option to get the code via email.
The fact that they do this is bad enough, the fact that this happens so often that I’ve seen this at least a dozen times is even worse.
No and stop using SMS it’s not secure.
The least secure part of the sign-in process is the person. It doesn’t matter what the 2FA method is.
You can be using a one time pin and someone can look at your paper and see the next one. Someone can trick your grandma into giving out the Google authenticator pin over the phone because “they’re from Google”. Someone can trick you into making the financial transfer yourself because “you’re getting a deal”.
Sim swapping
Which is why sms-based 2fa is useless if you’re being targeted by a motivated hacker. If you’re an important person (e.g. a government official, an exec on a big corp, a celebrity, etc) it’s not safe to use sms-based 2fa. Heck, even if you’re nobody, a hacker might decided to target you anyway to access the company you’re currently working at, or because you have something they want (e.g. a desirable Twitter handle). One call to your cellphone carrier to complain about losing phone, with some social engineering skill to dupe the minimum wage call center worker who doesn’t really care about being vigilant, and suddenly the hacker gain access to your cellphone number (doubly easier to with e-sim) and thus your sms-based 2fa.
