Not as mobile: you need internet and a smartphone. I still have a friend with a dumb phone. I'm sometimes in zones without internet but my mum call me and ask me to give her some confirmation code I receive.
Not as simple: stuff arrive in the spam folder. Some providers just reject your valid mail (my main email tld is exotic, it causes lots of troubles). People receive so much junk they lose your message in 1000 of unread mails or are afraid of checking them.
Not as interoperable: there are new kids that just don't have emails setup on their phone. They check them once a month at home on the computer. Email is for old people (although text is getting there too).
Plus email is almost as easy to spoof and intercept, so the gain would be minimal.
Sometimes I'm traveling and don't want to pay exorbitant roaming fees. Or sometimes I'm in a building or basement without phone service.
I'm sure there are a few people without email on their phones but I don't think the number is dramatically different than those without SMS right now. If I have cell signal I have email, but I can have email without SMS access.
If you don't have internet, you arguably don't need to receive OTPs either (since these are usually used to log in to some online service or confirm a transaction in one), no?
E.G: last week, my brother wanted to try one of my service account on his ipad (we set it up only on his computer). He tried to connect with my password, but any new device requires a 2FA. So he calls me, and I gave it to him.
Now, in this particular example, I was at home, so I had access to internet.
But I'm often traveling to places where I don't.
In fact, I lived in Mali for 2 year where this has been a big trouble for all administrative stuff. Nowadays, I would assume a lot of Malian people have a phone numbers, but no emails, anyway.
But without going that far, the French country sides have plenty of places where you get text but not internet. And being in a car or train is often enough for that.
I don't think SMS is a good 2FA. I have 3 yukikeys at home.
But I believe any geek should first spend a month working in a call center before making a comment about 2FA.
There is a looooong tail of things getting wrong, and there is a reason corporations chose SMS: they tried all the rest, and it was worse.
Now thing are getting better with in app 2FA notifications, but of course it assumes you have a smartphone.
> Not as mobile: you need internet and a smartphone.
> I'm sometimes in zones without internet but my mum call me and ask me to give her some confirmation code I receive.
We're talking about multifactor authentication here. Where/how are you authenticating without internet access?
> Email is for old people
I guess that makes me old. Does that disqualify me from using multifactor authentication?
> Not as simple: stuff arrive in the spam folder. Some providers just reject your valid mail (my main email tld is exotic, it causes lots of troubles).
All of this happens to me with SMS much more often than it does with email.
> Plus email is almost as easy to spoof and intercept,
Agreed on spoofing, but that's not a problem for OTP authentication. Complete disagree on interception – I believe SMS is much easier to intercept, on average.
