It isn't the users that are the problem here, it is the telcos with respect to the simswaps: if social engineering is used to get sims to be issued without proper verification, then fix that. If SMS isn't encrypted properly that is an issue, but pushing various commercial alternatives that have broken and/or partial support isn't a solution either. As for my telco seeing the message content, I'm not too worried about them having access to one time use codes that will live for the next minute at best. And the institutions that force SMS usage on their users are the real issue.<p>It is fairly easy to point to a problem but solving it is an entirely different level and this article doesn't really do anything that would allow your average user to say get VISA/MC to use other channels, ditto for various datarooms and other instances where 2FA and SMS have somehow become synonymous.<p>The only party that does any of this properly is my bank, which issued a secure hardware token that I need to operate separately from my computer in order to generate one time use codes. I'm sure that there are ways to abuse those (a gun to the head of a family member would do nicely) but they are a lot more secure than anything else that I see out there.
For the reasons listed I got myself three Yubikey 5 NFC dongles and removed SMS wherever possible. Unfortunately the authentication landscape is still very fragmented. AWS root accounts for instance cannot be secured with multiple hardware keys, only one. So no backup. The only solution is to use virtual OTP and register the same OTP setup key on multiple hardware keys. Only Google seems to have the ability to register as many keys as you want.