While 2FA is often phrased as “Something you know and something you have”, I find that misleading. Knowledge is acquired from information, and the way they check what you have is through information alone.
What it really proves is that the telephony system authenticates you as part of their network. That authentication is done by the SIM card, which it is assumed you have unlocked with a password of entropy 13.3 if it's a PIN code with four random digits.
That, and your actual password.
By far the easiest way to get incorrectly identified through the telephony system is to break the PIN code, which requires to have physical access to your SIM card. But if all your secure HTTP cookies and/or your keyrings are only protected by that as well, then yes, your 2FA has a single point of failure. It goes from an arbitrarily strong password and something you have to a 13-bit entropy password and something you have. Or, if like so many you leak PIN code information from your life or the traces you leave on the surface of your phone, just something you have.
While 2FA is often phrased as “Something you know and something you have”, I find that misleading. Knowledge is acquired from information, and the way they check what you have is through information alone.
What it really proves is that the telephony system authenticates you as part of their network. That authentication is done by the SIM card, which it is assumed you have unlocked with a password of entropy 13.3 if it's a PIN code with four random digits.
That, and your actual password.
By far the easiest way to get incorrectly identified through the telephony system is to break the PIN code, which requires to have physical access to your SIM card. But if all your secure HTTP cookies and/or your keyrings are only protected by that as well, then yes, your 2FA has a single point of failure. It goes from an arbitrarily strong password and something you have to a 13-bit entropy password and something you have. Or, if like so many you leak PIN code information from your life or the traces you leave on the surface of your phone, just something you have.