For a lot of companies they choose sms for no other reason than it really limits spam and cuts down on fake accounts. People are conditioned to for the most part to be free with their phone number. Making it pretty much the only identifier that cant be easily and without cost or human effort changed(its not too hard and often normal to block voip numbers) Sure you can say well then also require some other form of authentication. these companies are trying to make money and go to a lot of effort to reduce even the slightest friction to new customers. Besides once they have sms and 98% are happy with that why put more work in?
The real problem though is what other choice do they have? Yes you and i would put the effort in to both secure and properly manage better systems but when the vast majority would quickly forget or loose any other method. They have to make a system that is "secure" for them anyway, why implement other systems(yes i know you and i think it would be worth it for us but maybe the bean counters dont).
Its completely understandable that the average person THINKS that sms is secure, everyone depends on their phones, uses it for very personal, private and sensitive business calls. even without tech companies using it for auth it would be exploited, just not as much.
Unfortunately it would just take an incredible amount of cooperation, expense and growing pains to properly secure the telecom network. They are extremely interconnected legacy systems that are designed with the assumption there is no security besides trust.
that being said they could improve things a whole lot more if they were able to verify their customers better on support calls or at least had higher security options you could enroll in. So they didnt put people who cared about security with the ones who cant even keep track of their own account numbers.
Personally without governments coming together to implement a digital "secure" citizen identification system (also very scary) probably the best we can hope for and i think google now allows is after its verified by phone remove it as a authentication and recovery option and setup multiple hardware security keys/passkeys. ya people will still be idiots and use sms even when there are better options but at least some of us can be secure.
Its completely understandable that the average person THINKS that sms is secure, everyone depends on their phones, uses it for very personal, private and sensitive business calls. even without tech companies using it for auth it would be exploited, just not as much. Unfortunately it would just take an incredible amount of cooperation, expense and growing pains to properly secure the telecom network. They are extremely interconnected legacy systems that are designed with the assumption there is no security besides trust. that being said they could improve things a whole lot more if they were able to verify their customers better on support calls or at least had higher security options you could enroll in. So they didnt put people who cared about security with the ones who cant even keep track of their own account numbers.
Personally without governments coming together to implement a digital "secure" citizen identification system (also very scary) probably the best we can hope for and i think google now allows is after its verified by phone remove it as a authentication and recovery option and setup multiple hardware security keys/passkeys. ya people will still be idiots and use sms even when there are better options but at least some of us can be secure.