Losing access to a phone means losing access to your TOTP codes as well. So that's no different than losing access to SMS.
TOTP codes can be shared between multiple devices - which makes them less unique than an SMS to a specific MSISDN. Your ability to back up a code doesn't necessarily mean you have the ability to store it securely.
FIDO tokens can also be lost.
I don't know why you're asking for your congress to fix this. You live in a free market, so move your business to someone who you think takes security seriously.
For SMS auth, you can get the cell company to re-issue a sim if you lose your phone. This is a feature and a bug, thanks to social engineering attacks. Also, the SMS transport layer isn't secure.
With TOTP, you can put the TOTP code in your password manager with all your other passwords, which is probably what I will do it it catches on. It's effectively one factor at that point. (Do you know my password manager's password?)
> You live in a free market, so move your business to someone who you think takes security seriously.
Adorable. Please show me a bank, utility provider, brokerage, widely-used P2P money transmission service, and phone provider that each offers WebAuthN (without a mandatory fallback to SMS-2FA).
There is absolutely no "free market" for authentication methods: Everybody does almost exactly the same thing, as authentication probably does not even make their top 10 business priorities.
Ah, your earlier statement ("you live in a free market") implied otherwise. Maybe something worth considering before asserting that there is free market choice in all of these industries.
"so move your business to someone who you think takes security seriously."
For banks, it is not that easy and convenient. I like my banks for many reasons except the 2FA thing. Most banks at least in US are still doing SMS 2FA. I am done with the whole "If not happy, move" and want to figure out what we can do to educate/force these banks to do the correct way.
That's literally the point of capitalism. Organisations are free to offer any service they like and customers can choose which one best meets their needs. If enough people move to the one offering better 2FA then the others will follow.
Having the government force companies to behave in a certain way sounds dangerously close to socialism to me.
Sure, let me just move my brokerage accounts to a provider that supports FIDO. I am sure that is a real thing that the free market has provided or will provide soon.
I'm sticking with Schwab for now because they are at least vish resistant. I have a 'verbal passphrase' and support will not help "me" unless I provide it.
so move your business to someone who you think takes security seriously.
That is exactly what I did. I was with a major bank but they would not take my security seriously and only did 2FA. I moved to a small local bank that allowed me to lock down my accounts so that from the internet they are read-only. I have to physically go into the bank and show ID for most of my accounts. That leaves one account I can use for small online purchases.
I am working with them to implement better security around ACH/wire transfers. That's not even a discussion I could have with the bigger banks.
Changing banks is not free market just like Changing Insurance Companies. Most banks in US enforce SMS 2FA. I would rather want the choice of not doing SMS 2FA. If you cannot implement better 2FA, dont force me to use SMS 2FA and I assume the risk on my end. That's Free Market.
TOTP codes can be shared between multiple devices - which makes them less unique than an SMS to a specific MSISDN. Your ability to back up a code doesn't necessarily mean you have the ability to store it securely.
FIDO tokens can also be lost.
I don't know why you're asking for your congress to fix this. You live in a free market, so move your business to someone who you think takes security seriously.