MFA in sad reality

Curious

This is a little tricky topic but to my understanding the true MFA (Multi-factor auth) should be done in layered way for example how GOS is offering users to use 1st pin and then a 2nd if they wish to, or pin + finger print etc., but the important part is that the auth is done one after another not in a way that one can backup the other.

I am trying to understand why companies/services etc. do this, like they offer you to use 2FA application but also to use that app they require you to use also a phone number which in that moment can server by their words as "another security measure" to "improve overall security" of an account.

Now tell me am I crazy or not but when you have an username + password, then you have 2FA app, but also for that 2FA app (which can be proprietary to a specific service) you have to provide a phone number to verification and from that moment that phone number can be stored and used as a backup option for 2FA (which is bad) and/or as a recovery option in case you lost your 2FA app or such.

This is not a MFA right? It seems to me like making 2FA weaker in trade of to make it convinient or less support overhead.

So in a common sense if MFA is not layered there is no reason to have it because it could increase attack surface?

Your thoughts on this?

n3t_admin

Curious So in a common sense if MFA is not layered there is no reason to have it because it could increase attack surface?

Security isn't binary - it's a spectrum.
You will still have a 99% higher chance of survival from a data breach, where cleartext (or weakly hashed passwords [without a salt]) are leaked. It is still MFA in a sense, it's just not very good. But, as I noticed from personal experience, most important sites offer true MFA in form of passkeys or FIDO keys. That is sufficient usually.

user2025

Proper MFA or 2FA is made of 3(three) things:

what you KNOW
what you HAVE
what you ARE

Any combination of minimum two from above parameters / constraints should be enough for validation to be a login & authentication' certified and secure.

Username and password falls under what you know only.

Curious

n3t_admin True something is always better than nothing, but you know what it would be a blessing if for example majority of banks accept FIDO or even some big gaming platforms instead of their own proprietary, most time strangelly designed apps. (but I found out in Yubico list that they are compatible with Epic for example, so that is a start I guess).
But it is a hussle for services.
Also I realized that MFA is superset of a 2FA but what I was talking about is kinda like overkill and we can call it like 3FA or 4FA in that MFA sense, I know that "horizontal" MFA is great for convinience but...
If you have a option to use 2FA app and also add a phone number which can be used as alternative method to login, 2FA or recovery option to remove 2FA if you lose it, would you go for it, insted of sticking with just 2FA app and well if something go via customer support or just use recovery code?

n3t_admin

Curious my bank (and I think banks in Europe in general?) don't provide SMS as 2FA anymore. Seems to be due to some EU directive from a few years ago.
The situation you're describing sounds like the classic US experience, where so many things are so backwards, despite all the technological progress. Like people not being able to download a different messaging app and resorting to shitty iMessage or RCS. I think having SMS as 2FA is a blessing for those banks, because everyone is stuck in SMS land anyway.

I personally run hardware keys for secure logins, including my self-hosted stuff. Buuuut I've been also thinking about adding Authentik or Authelia to my own services that I host, which don't support any 2FA OOB.
In general, I don't have any active services (besides my Apple Account) that still use SMS.
For less critical accounts I also use TOTP apps (like you mentioned), but with the YubiKey as the authentication method in conjunction with the Yubico Authenticator. For most accounts, I have multiple fallbacks. 2 different 2FA methods (FIDO + TOTP) and I also save the TOTP seeds on the initial setup in an encrypted file. I haven't ever locked myself out of any accounts so far.

Curious

n3t_admin I mean banks still still use phone numbers for verification of a client, but I wanted to ask in general is it good idea to use anon SIM for banking (or similar service) or those types should be strictly used with plans that are on identity check etc.? You know the second one would make sense but so many PII data leaks that are happening recently I am not sure really.

The thing HW keys are I think the best option but the problem is that not all services suports them, banks included big time.

n3t_admin

Curious use anon SIM for banking

I wouldn't do that. Use a regular provider. But - even better - switch bank to something less shit.

Curious

n3t_admin I mean regular provider offers SIMs that are not on name etc. without an issue, yea sorry my bad I was talking about pre-paid or pay-as-you-go, but those can still be bought by cash and without any identity. (also the massive problem with that is paying for plan when you are mostly not calling, texting, using data is like crazy with their current prices), also what bank? Every single big bank in my area do this, like not in a way that they are using phone number as access point to an account but as a "secure" contact method.
Obvisouly to access account you use app that is tight to an device as an HW key but... the phone number is still here, there is no way to not to use it, unless you don't use online banking at all.