That’s a problem with the user, not the protocol or the system, users have been and will be always the weakest point, but they are accountable for it if it happens, not the case for sim swap attacks.
Yes, true. However- to paraphrase a red team operations book I read, if the user can be tricked into into compromising your security with a click, then you can't blame the user. An organization's defensive security strategy should not hinge on a single user's decision to click or not.
Edit: I am swapping users with you, sorry for the confusing reply. I'm thinking telcom employee, you user of the app that got swapped (I think, apologies if I am wrong)
Ha! I was going to say if you solve the user vulnerability then congratulations, all systems are mostly safe! Before reading that you meant telecom employees.
The reality is TOTP despite any issues, is far more secure and available than SMS, security for obvious reasons but also availability, you can have your TOTP token accessible everywhere (say in your password manager) but if you can’t receive an SMS because you lost your phone or maybe traveling, then you are in a tough position, maybe even locked out completely. I personally even back up the TOTP tokens so I can reuse them without being tied to specific platform/app (I am looking at you Authy!)
