Ask HN: Why did smartphones become a single point of failure?

238 points by neverminder ↗ HN
i can't log in to any of my banks without my phone. Most of the systems in my workplace also require phone app authentication. I can't do any of those things with just a PC or laptop. Smartphones being the smallest and portable are surely the most lost and stolen. If someone got a hold of my PC or laptop - they would be able to do some damage, but not even close to if they were able to access my phone. Everything everywhere nowadays requires some app.

288 comments

[ 1.7 ms ] story [ 173 ms ] thread
>i can't log in to any of my banks without my phone.

Don't know about banks in Europe but in USA, I can log into Bank Of America and JP Morgan Chase without any phone authentication.

If I reformat my harddrive or buy a new computer and the bank doesn't recognize the web browser because no previous cookie has been found, the website will generate a one-time code and send it to my email address. I then enter that security code and the web browser is "recognized" without further issue. The smartphone was not needed in any step.

EDIT ADD: I did open my bank accounts before 2007 and thus before the smartphone era. Because of that, there may be a possibility that my logins are "grandfathered in" to not require any smartphone app authentication. It's possible that opening new accounts today with BofA/Chase require smartphones but somebody else would have to confirm/deny that.

In Italy it's a disaster. You need the phone /and/ their specific app, for mostly everything. From burgers, to banks and everything in between...
The biggest bank in Slovenia also requires an app, but I wrote a webapp that implements the reverse engineered protocol the bank uses in the mobile app (the protocol is basically a TOTP implementation brought from a private company).
In Europe we have it in few countries.

In my case - You enter your unique ID (6 numbers), then I’ve to type 4-number PIN on my phone. There’s also verification-number shown on both sides, to compare authenticity . When approving payments, it also shows details and requires longer PIN code.

Much easier than earlier versions.

And authentication provider can be used at Insurancy, e-government, e-signing and other services.

I can log into my bank without my phone in Denmark, but they are pretty much getting rid of that capability. Supposedly more 'secure'
That's code for 'cheaper'. Banks in the Netherlands are constantly trying to push all their customers to their apps, some (like ING) are actively trying to get rid of their alternative (but keep getting somewhat forced to offer it), and some (like BUNQ and KNAB) are 'smartphone only' from the start.

Cryptographically, the idea of a discrete piece of hardware that uses the chip in your debit card to generate secure responses is fairly sound. And if smartphones didn't exist, it would be an unquestioned piece of technology that might even be commodified to the point that any such device could be used by all banks in the country. But smartphones exist, and having the customer loan the banks their hardware (which is often replaced within five years, so free updates too!) is quite attractive. No more hardware to support!

My Swedish bank offers two methods. One is the nationwide e-identification system called BankID - used for loads of commerce/governmental/identification/authentication in Sweden - which requires Internet access and works on computers as well as smartphones. The other method uses a discrete HOTP-type device (with a personalized login card) which accepts a challenge code from the bank login page and outputs a digested authentication response. As far as I know, all major banks in Sweden offer both or at least one of these two methods.

In the past a lot of banks here used OTP scratch cards, and would automatically send you a new one in the mail when you used one of the 10 last codes or so on the card.

A bank in Finland: they try to push their authenticator which doesn't work on my phone (de-googleized android and too old),but they have retained the option of using an OTP code list + sms, previously it was just OTP code list, but due to some silly directives they added sms.

Authenticating with bank OTP also work for government and other stuff. (Common here as there is no state authentication system other than some failed id cards afaik.)

I really never got the point of the SMS. If I was deciding it I would have mandated that authentication can't be on the same device payment happens. Just to see how they solve that issue...
Similar experience in the US with the banks I’ve used. I can simply use the PC without involving my phone.

Also if all else fails I can go in to the bank and take care of things.

I had a Chase account and for some years was able to use email for 2FA. Somewhere around 2019, they changed their requirements and forced SMS for 2FA. Since I don't use a (SIM-ed) phone and since my wife's phone number was already known to them, I had to pull all of my liquid savings out of the account and move it elsewhere.

I will never bank with an institution that requires SMS for 2FA.

> Somewhere around 2019, they changed their requirements and forced SMS for 2FA.

I just logged into Chase via desktop web browser and there's not a 2FA requirement.

I also deliberately used a different computer and got the familiar security prompt of "We don't recognize this device": https://imgur.com/a/jKM4MPq

I see that sending the challenge code via email is not in the list but there's an option to call them for it. It's more inconvenient but it looks like neither SMS text nor a mandatory Chase smartphone authenticator app is required.

Indeed it's incredibly stupid development. Fuck smartphones, really. I don't own one and I feel happy overall, but life is complicated because nowadays some sort of stupid app is required (most of the time, for no good reason) and dealing with those requirements always cost so much thinking.

I don't want a micro-computer in my pocket, I stay at the computer all day anyway, a better one.

Why can't I do with a real computer what it is possible to be done with a phone?

A smartphone is just a tracking device, and it is terrible for privacy - but great for advertisers and similar industries.

Otherwise, a computer should be able to do everything a smartphone does.

Me too in my ideal world I wouldn't have a phone, but now I need for transport, food, financial services, nearly everything.
I don't know where you live, but in Europe you can still live without a smartphone. But I live in a city with good public transport (no need of ubers); banks still works without smartphone (but you need a burner phone for SMS, unfortunately), etc.
"Europe" is big and diverse. So while there exists places in "Europe" where that is true, in many other parts of "Europe" it is getting harder and harder.
Oh, I don't know about the rest of Europe, but here in Italy you either have to deal with it, or restrict yourself oh, so very much. (to the very few services that still work without a phone). Here most everything, even state portals such as, medicare, tax, national motorists services, pensions services, etc. are nigh impossible to access without a phone.

And it's so sad.

Amen to that.

Plus, half of the 2fa apps from the various services (most of which just want their very own app) work only on recent phones and most won't even install without google-services.

And if you lose your phone, you're toast!

So, it's not enough to have one smartphone always at hand...

You must have a backup phone too!

... and both must be fairly new... and they must both bear the all-dreaded google-battery-eating-spyware...

Absolutely!

I lost my iPhone 7+ recently and had no idea how attached I was to that phone. Being someone conscious of infosec I had iCloud turned off and what I thought were minimal apps installed. That said, and with the fingerprint reader/my 18 char PW, I'm pretty sure no one besides a nation state/NSO could get into my phone. So losing it wasn't really a big deal except for the loss of contacts (had most on a old phone) and being locked out of my email (thanks 2FA).

Unlike you, I haven't gone fully phone free. But I do now have a free Android phone that has nothing on it that I can be locked out of. No medical, no banking, nothing personal except for email. And if I felt I could get away with it, I'd have no phone at all.

But that’s kinda convinient [1]. The problem is, that there’s no real proper fallback/backup-plan.

[1] not only it’s convinient, it’s also similar to what all the future predictions regarding technology said. Some small gadget or bracelet connecting over air and doing stuff.

There is a backup plan. For corporate systems, contact the IT department. For banking, call the bank or go to a branch. TOTP-based schemes can be backed up and used on multiple devices. So on and so forth.

It just so happens that most of these backup plans are incredibly inconvenient and might take a long time and effort to get through them.

Something like that, ain’t a plan in my eyes. But yeah, what’s exactly what’s wrong with plan. God forbid you have to book appointment and arive somewhere to get it resolved…
Because using phone numbers to decide if human or bot is cheap, easy, and effective.

Politically, there is no will for a national identity verification type service as infrastructure. And this way, all the work gets outsourced to ATT/Verizon/T-Mobile, and politicians get to say “it is not our fault” and telecoms get to say “it is not our job”.

And scamming yourself to another persons phone number to entirely take over their digital life is also cheap, easy and effective.
And that is a problem for a sufficiently small population that it is not yet a political priority. Crazy, since the federal government already does passports, and the infrastructure is basically in place with USPS offices.
ID is an issue that both extremes of the political system are against.

Super conservative types are worried about mark of the beast, etc. Super progressive types are worried about folks on the margins of society being able to get ID.

You don't need a smartphone to have and use a phone number. I suspect the OP is about smartphone app authentication.
Oh, yes, I think I misread. In that case, I guess the spam/bot reduction efforts are outsourced to Apple and Google’s App Store and mobile OSs.
The lack of political will you speak of is better seen as a reaction to the deeper problem that there is no political will for protections that would go against commercial desires. Social security numbers were created solely to facilitate social security but had no legal protections enforcing this, and thus are now being widely abused by private companies. The same with driver's license numbers. Without a US GDPR that gives me the right to delete my permanent records from corporate surveillance databases, I am dead set against government mandates that would create even more vulnerabilities for unaccountable surveillance companies to exploit.
Or vulnerablities for fully accountable governments to exploit, either. Governments may be accountable to their supporters, but they're not necessarily accountable to me. They could decide tomorrow that it's illegal to be Jewish or to have been descended from Jews, and they have before.
That's a much stronger argument, that I'm indeed sympathetic to. But I don't think it will ever win in the courts of public opinion or practicality. In general, governments are always going to demand some way to identify and enumerate their citizens, and so making that a deliberate thing rather than an emergent thing allows it to be better constrained. If involuntary storage of personal information were limited to bona fide government purposes then, for instance, we could politically complain when the government wanted to catalog everyone's ethnicity/religion in their databases. As it stands currently, the government itself doesn't need to abuse the vulnerabilities like in your example, because at any time they can get that information from companies who have done so for them.
> In general, governments are always going to demand some way to identify and enumerate their citizens

I think that this is something that has only become insisted upon in very recent history (when it was seen as a technical and social possibility), and that governments functioned just as well without. Ways of identifying strangers should be annoying, tedious, and expensive.

edit: When I was a kid, you could spend a week in jail and be released without the justice system having any way to verify who you were.

edit: What I'm really saying is that the "national identity verification type service" is as much a problem as the corporate databases, which it's also not really distinct from (the corporate databases work as a national identity verification service.) The problem is this desire to account for and control everything. Everyone with a little power is overcome with data FOMO.

Regardless of who is doing the job, you're still going to need some device on your person (or otherwise readily accessible) that can be used to confirm that you are actually you, and whatever that device is will become a single point of failure.

The real issue is there needs to be some simple standard workflow for when the device (be it smartphone or otherwise) fails. And in this case the government pretty much already is providing that service, or at least the backbone for it. "You lost your phone? Well send us a picture of your driver's license or passport plus a selfie in [this] pose from a different trusted number and, after we try calling your old number just to make sure it's really lost, we'll use the new number." Financial institutions already have the infrastructure for photo-id confirmation for KYC regulations, and selfie verification is widely used for dating apps. Yeah if someone breaks your phone, steals your id, and can deepfake you then they can probably steal your identity, but someone in that position can probably already steal your identity.

> you're still going to need some device on your person (or otherwise readily accessible) that can be used to confirm that you are actually you

Nah, we don't need that. We've been doing without that for thousands of years.

We also did without anesthesia for thousands of years. This is not a great argument against something.
Well there's this new thing called the computer which offers both exciting new opportunities like online banking but also new challenges like password cracking which mean we can no longer rely on old methods of identity verification like pulling swords from stones.
Probably because I've heard the statement: "Everyone has a smartphone these days, so..." for the description of every app you describe. It makes some sense: single purpose devices for authentication tend to be set aside and misplaced. So it's the union of ubiquity and ease of use.
Are you saying all of these systems enforce SMS-based 2FA rather than the sane choice of TOTP? That's unwise and unfortunate.
Many enforce 2FA through their own app, so TOTP is not an option.
It's the same plague, whether SMS or their own homebaked authentication scheme.
No, they enforce through their own crappy app which only works on few platforms.

To make things worse, if I install the app for my swiss bank on a different phone, I need to wait for snail mail to get the activation code.

All my OTPs are in Bitwarden and FreeOTP.

The only thing I currently need my phone for is Google's new device login and even that goes to my tablet too.

Can you use Bitwarden for TOTP? I already use it for my passwords but for TOTP I have multiple apps and I hate it
Yes. There’s an “Authenticator Key (TOTP)” field. Been there for several years.

It also supports SteamGuard TOTP.

But steam really doesn't want you to get the key, I soft-failed when I tried. Fuck custom authentication apps, totp is good enough for me thanks
Yes. You have to pay for the premium version for TOTP, but it's only $10/YEAR.
Why did gasoline become a single point of failure in automobiles? Why did the strings on my guitar become a single point of failure?

Creating redundancy for every dependency is not always practical or economical.

Terrible comparison. If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going. It's not gatekeeping anything, it's just a convenience.

Strings on your guitar can be readily replaced, and again, it's not gatekeeping you from your finances or your employment (unless you're a musician, but in this case I'm sure you'll have spare strings and instruments so that if one breaks you can carry on without much thought).

> If you don't have gasoline you can still walk, get a cab or take the bus to wherever you're going.

Not all of us live in an area where those options are available. But I can transport your arguments back to the OP post. You can still call your bank from someone else's phone. You can still walk into a bank branch or use an ATM. Using their website is just a convenience. If you lose your phone you can just get a new one and carry on without thought (replace it).

If you don't have you banks app, you can still go to the actual bank and tell them to do your transactions.
That's not so easy nowadays.

Firstly with covid-19 many banks don't accept walk-ins and have a long waiting list for appointments.

Secondly, what if the bank or other service i'm using has no physical offices at all?

Or what if they're simply too far away and I'm an octogenarian, perhaps with no driving license? Eh? Am I supposed to take an uber to somewhere 100/200 miles away just because morons are given decision-making power and myopic online-apologists on HN even make excuses for them?

Your argumentation is myopic. I'm not seeing anyone making excuses. I'm seeing people face the realities that few systems (if any) are without single points of failure.

Take the mobile app dependency away from banking. Then what? There's a dependency on having a computer. A dependency on having power and internet. Why did the banking system build around these single points of failure?

The reality of system design dictates that you measure risk in terms of what is acceptable vs not-acceptable, the solution on whether it is practical vs not-practical, and the implementation on whether it is economically viable. Raising a stink because your bank wants you to use a mobile phone for verification is like complaining that your car requires gasoline to work. Are there other ways of solve the problem? Sure. Did the solution they landed on meet their requirements, yes. I hardly consider them morons for going with the cell phone approach.

> Take the mobile app dependency away from banking. Then what? There's a dependency on having a computer.

A computer, but not necessarily the one authorised computer. You can use a public one in a library, a friend's, your employer's, etc. Not the same as your own and only authorised smartphone.

> A dependency on having power and internet.

This is honestly not even an argument, and they're not a SPOF. Both the power grid and the Internet have redundancies built-in.

> is like complaining that your car requires gasoline to work.

Again, it's not. The smartphone is used as a single authorised device. Gasoline works regardless of which station you purchase it from. Out of petrol? Fill it up at the nearby station and carry on. Or preferably, don't let it run out in the first place.

> I hardly consider them morons for going with the cell phone approach.

I don't consider them morons either. That's not to say I don't recognise this as a weakness.

> Again, it's not. The smartphone is used as a single authorised device. Gasoline works regardless of which station you purchase it from. Out of petrol? Fill it up at the nearby station and carry on. Or preferably, don't let it run out in the first place.

A mobile phone works regardless of which store you purchase it from. Lost your phone? Pickup a new one at a nearby store and carry on. Or preferably, don't lose it in the first place.

Again, a mobile phone works regardless of where you purchase it. Your banking systems, etc are not authorised to a mobile phone, though. They're authorised to the one mobile phone that was authenticated.

It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorise the new one before you can use their services.

In the case of the car, it's enough to just fill up the tank with petrol purchased anywhere. It's ready to carry on at that point.

Not clear your meaning. Are you referring to the mobile phone being used during 2FA auth flows? In this case, the authorization is not to a device but rather to a number on the cellular network. You can swap devices without your bank knowing and without disrupting your authorization. Are you referring to mobile banking apps? If so, again, the bank is not authorizing an individual device. The authorization is a sign in session on the app. You can swap phones and download the app very easily without contacting the bank.

> It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorize the new one before you can use their services.

Are you referring to changing phone numbers maybe? If so, that is a totally different topic from OP and also from my comments.

That was the point of my "argument". I was trying to point out how silly the original comment was.
This is a big problem for me as a traveller. If I travel long distance and I lose my phone, I lose access to both my personal and business bank.

I once dropped my phone in a lake (I'm clumsy) and was locked out of most things for a few weeks.

I prefer TOTP for most things. Keepass supports them across platforms, but Aegis has a better experience on mobiles.

The eSim's are available these days so you don't have to wait for new SIM to arrive... if your provider & phone supports this feature.
Don't eSIMs have an even worse failure mode? If the phone itself dies then there's no SIM for you to take out and put into a new phone immediately right? As I understand it you have to first find another phone (with a working line!) to call your provider with, hope that it's within their business hours, and wait on hold for who knows how long, until you finally get it set up? Because of course you don't have anything urgent you need to take care of in the meantime while you wait for your carrier to give you back the keys to your digital life right?
Phone companies don't let you apply for replacement esim through a website?
(comment deleted)
Maybe some do? I've seen ones that don't.
With Vodafone, I just login on the website and swap the esim. It’s ridiculously straight forward and you can set a sim pin that works across devices so even if someone were to steal the login and try to take your esim, they still need the pin to unlock the sim on the device.
That's better than what I've seen, but that still requires you to find a second phone with existing service? Everyone has 2 spare phones with 1 additional line of service lying around right? Or a computer with internet service I guess.

With a normal SIM all you need is the device you're going to put it into. And a needle/paperclip...

Obviously, you need a second phone to put the sim or esim in. It doesn’t necessarily need service though.

You just need an internet connection to get the QR code for the esim (though I have a paper version I can scan as well). The beauty is I don’t have to swim to the bottom of a lake to get the original phone to get the original sim. I can just scan the piece of paper and put my pin into the new phone. Though I think no matter what, I would have to go online to give the IMEID so the phone will successfully activate.

Before smartphone, if you lose your passport everything goes wrong as well. (and noticing your phone is missing and finding it back is way easier than passport)
Everything? The only thing that goes wrong is being unable to travel internationally, but I think consulates often have a process for issuing emergency documents for even that case?
Try to present a foreign ID without your visa to a US police agent and let me know how it goes.
will provide for an exciting story to tell when you're back but should be resolvable in about 24h pretty much everywhere on the planet.
It's not like this is a common thing to need to do when you're traveling...
The worrying difference for me here is that when I travel, I pull my phone out of my pocket 50 times a day but I only use my passport once or twice a week and can store it safely in between.
I strapped mine to a motorcycle and subjected it to sun, rain and dust for a few months. The GPS interface was baked into the screen, but it kept going. It even flew off the bike at speed once. I never had a phone fail from abuse.

But I had much dumber failures:

- Walk on a log to get a better picture of a lake, slip, and drop the phone in freezing water. Took multiple weeks to regain access to everything.

- The humidity presses buttons in my pocket. Too many passcode attempts, iPhone factory resets itself while abroad. Lost a bunch of unsynced photos that time.

That's cool, although I was referring mostly to the risk of loss or theft, not reliability. Phones are a more generally sought after commodity compared to passports.
Yeah, but if you lose it you won't notice for a week and it has no GPS tracking, nor PIN lock, and it can be harder to replace.

The phone number is scarier than the phone itself, since backup sim cards aren't a thing most people do, and replacement might be slow or impossible till you get back.

I live in the US. Passports are effectively irrelevant for me, even should I travel several thousand miles. Phones… not so much.

And I’m not mentioning the US because its unique in this attribute.

It’s different if you’re a foreign national.

In ‘05 I was traveling in the EU, across the open borders, and got checked by customs agents because of a bombing in, I believe, London. Thought it was weird but, whatever… Later on I pieced together what happened because even if they were only doing spot checks it’s not like I don’t perfectly blend in with Europeans.

A bit of an aside, custom agents absolutely loved my customs stamp from Iraq back then. Well, aside from the Dutch.

I don't travel much, especially recently, so this may not be worth the hassle for frequent travellers, but I factory reset before going overseas, or use a non-current phone to take overseas.

Whence through customs etc, reinstall only the essential apps for the trip, just remember your passwords or your single password to your password manager.

You can also spread about an encrypted set of instructions amongst free email hosting.

Some people would say it's a hassle, but it keeps customs' nose out of my private life. I'm getting to an age where it's not necessarily weird to have the appearance of barely any online presence.

I have traveled a lot over the past few years, including several times through hostile customs (eg USA). I have never had any of them go through my phone or even ask to see it. And to be quite frank, I don't see what use a border agent or the government would use from my phone that they couldn't get in a different, simpler, less blatant way. I'm not sure what threat model you're fighting against, but it may exist only in your mind.
I've been raided by the police before, so my threat model went up a couple of notches as a result of that.

It's a relatively recent incident and a story I'll be telling in detail at some point soon, I hope.

I’ve heard so many nasty things about customs recently. Down to officers straight up insulting people coming in.
Agree. I bring my phone oversees, but don't have an international plan, so I usually purchase a local SIM card and swap it out. But all my mfa fails then, because it is trying to text my US number!
how about taking a fully set up back up phone with you? that's what I do. losing a phone travelling nowadays is in deed an expensive and extremely inconvenient mishap.
I travel by bicycle or motorcycle, so space and weight come at a huge premium. And of course my bank only lets me pair one phone per account.
> I travel by bicycle or motorcycle, so space and weight come at a huge premium.

sure, but being protected from losing your digital prowess comes at a high utility per weight ratio.

> And of course my bank only lets me pair one phone per account.

that's a bummer. I can pair several. just need to scan some qr code.

Replacing the smartphone isn’t the problem. It’s regaining access to things for which the smartphone is the key. If I lose the sim card I’m back to square one.

This is a big part of my threat model.

What 2FA does your bank use? I hear you on the issue... if any site requires me to use a 2FA I can't backup, then I simply don't enable 2FA.

It is baffling to me that banks of all places seem to have the absolute shittiest implementations of 2FA I have ever experienced - if they even have it.

FWIW I use 2FA a lot more now that I discovered Authy, which backs your 2FA tokens (encrypted) to the cloud. There is also 1Auth, I believe the name is, which allows you to do offline encrypted backups.

See my comment elsewhere on this page.

Most banks can supply 'tokens' that generate a random-number that acts as a one-time verification.

https://pic.pimg.tw/abcwithyou/1348639177-1831387207.jpg

They are invaluable if you travel internationally as sometimes verification codes sent by text will be hopelessly out of date by the time you receive them. (If you receive them at all, that is.)

Go through the whole list and figure out which of these services really requires your phone, and which you have set up on your phone because that seemed the easiest path.

Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)

Why should they have a landline fallback?
Because in Operations you need to cover all the scenarios, regardless of what the Developers think is the “only way” to do something.
My workplace's solution was to simply turn off 2FA for my account
Good 2 factor auth systems will provide the option to be called on the number on your account.
Phone isn’t a secure factor in 2022.
If this is due to the vulnerabilities in the SS7 protocol, then it hasn't been secure since 1975.

Or at least 2008 when a set of vulnerabilities were published.

https://en.m.wikipedia.org/wiki/Signalling_System_No._7

Well, yeah. Back in 1975, we weren't generally using our phones for authentication. The environment has changed and the security issues are far more important now.
MFA is supposed to be something you have in most cases, the phone is a weak proof of a line of phone service that has decreasingly diminished meaning over time.

NIST describes a framework for required authenticators for different levels of trust. It’s a good starting place for understanding what represents secure practices vs theater.

Depends on the security requirements and terms of employment. Where I work now, you’d get a hard token or work phone if you’re deemed as requiring a phone.

In the previous job, you were sent the form for 24x7 building access and were free to drive into work within the on-call response period. You were also reimbursed for your cell phone, that was the bronze handcuff.

Under current case law in the US, my understanding is that public ("operational realities" and reasonable suspicion tests) and private employers (fewer tests) have rights to audit any information on employer-compensated devices they wish (and have access to).

I only use a work phone for work business. If my work requires me to use a phone, I require a work phone.

Carrying two phones is a small price to pay to avoid worrying about an overzealous employer's IT staff.

https://en.m.wikipedia.org/wiki/City_of_Ontario_v._Quon

https://en.m.wikipedia.org/wiki/O%27Connor_v._Ortega

150% agree. That’s a whole other can of worms.

Even if the business doesn’t want to audit your phones, a litigation event could force the issue.

  > Tell your workplace you're about to switch from carrying a phone to a landline
In my country we still respect people who use dumbphones, because a religious minority eschews the smartphone. I'm very grateful for this, I tell my bank and other entities that I have to deal with that I have a dumbphone and all local entities have a path for accommodating this.
This is the best way to go about this (the first line, the second line is rather variable). Phones didn't suddenly become a single point of failure, it's mostly middle-management combined with checkbox-security that ends up with SMS, TOTP and push-based confirmation factors. It's not the best way, but the easiest way to set things up.

To make matters worse, TOTP is easy to copy for 'backup' purposes, so it's really not all that good (but still orders of magnitude more secure than SMS), but people are now actively encouraged to use multi-device TOTP like authy which practically invalidates it as a separate factor.

There are of course practical implications as well. Giving everyone a Yubikey is problematic due to cost, same with smartcards and readers at every workstation (the card isn't the problem, replacing everything with readers and changing the authentication system to accept smartcards is). RSA SecureID is expensive too, and essentially just TOTP. You could only use FIDO-enabled devices like the ones with secure enclaves, but that has the same problem as smartcards.

One thing that happens a lot around here is people carrying two phones, which doesn't solve anything but does shift the work/blame/cost on the company because everything will have to be done on 'their' device. This is a bit impractical because now you're constantly walking around with two phones, or have to manage which phone you happen to have on you.

On top of everything else: all other second factors can be lost too, that is by design because it is supposed to be 'something you have'.

> all other second factors can be lost too

The problem is how the phone is irreplaceable and non-redundant, and not that it can be lost.

That is not really the problem, that is the symptom. Making it redundant makes the factor property moot. And while it might be hard to replace, it's not irreplaceable. One issue is that if you have 60 TOTP accounts on an app on a phone and you desire to replace it you'll end up with a keyring full of FIDO keys. Those are just as 'non-redundant' and 'irreplaceable' as the phone was.

The problem that causes the symptom is pass-the-audit mentality in the implementation of MFA. You have many options to make this "better" like picking any push, FIDO, U2F and TOTP method at authentication time. Lose 3 of those and you still have one available for the normal flow. And then there are backup codes that most people don't actually print and store because for some reason they are either unaware of it or believe that it will never affect them.

Yeah, if my employer wants me to use a smartphone app, they better cough up a smartphone for me to use. I'm not installing anything work-related on my private one, because I am in no position to guarantee that I won't break it or lose it.

I've had pushback from the employer about this a few times, but in the end, there's nothing they can do.

The way to handle this situation that respects your space while minimizing conflict, is to have a second phone just for work only that they can mobile device manage to their heart's content with all their useless apps.

This means using one of your older devices for it if available, otherwise you can purchase the cheapest unlocked one sold at an outlet store and consider it a cost of doing business like clothing.

I hate it. They have been phasing out web for years in the EU.

Banks mostly but these days employers too. Getting a separate device, or multiple, seems like the least horrible options to me.

Turns out everyone wants a piece of my data I in the name of convenience. Only, it's their convenience, not mine.

"They have been phasing out web for years in the EU."

This is such a perfect summary of the situation; thank you for formulating it so clearly. To me is insane that we are switching to a perfectly open and interoperable standard to the walled gardens of iOS and Androids.

This is why I ordered both GNU/Linux phones, Librem 5 and Pinephone, to support the alternative. Of course, I have problems with the apps now, and I refuse to install them as much as possible. Every time someone tells me about an app, I'm asking whether they have an app for my Linux smartphone.
I use Google Voice, and the number that I use for PINs I can login to with just a password. That way I can always access text messages even if my phone is gone. You need it when traveling and your shit gets jacked.

I haven't tried it but an Android emulator should allow you to use apps without a smartphone.

>I can login to with just a password

If you can, so can anyone. Although using a unique/rare password (globally, not just among your accounts) is probably enough to make this a non-issue.

If the banking software lets you log in via an Android emulator I'd say it's a pretty badly written piece of banking software.

I understand why HN readers would want to maybe use an emulator to avoid having a phone but really what other use case is there than that or a scammer trying to spoof you.

Is running an app inside an Android Emulator (i.e. the ones that come with Android Studio) something the app can detect then ?
Some apps will. But most "secure" apps would refuse to run on the virtual device.
Only banks do that. All other services accept TOTP (which you can have on multiple devices) or YubiKeys/webauthn/U2F (where you can add multiple hardware keys).

And even here, my bank accepts two (or more) devices with an active instance of their app. So the solution to this spof is the same as always: redundancy. You need a second phone. Your old one is probably good enough.

I've never seen a bank accepting more than a single device with an active instance of their app.. I would be over the moon if they did but they don't. So, last time I broke my phone, it took quite a while to get access to my bank accounts again.
My bank (Polish mBank) even have a section in the webUI to manage these devices along with other access channels.
> Your old one is probably good enough.

Some of us use the same phone for years, until it loses OS/security updates. My current phone is 6 years old. By the time I upgrade, my current phone will not be able to run current authenticator or bank apps, which will target an iOS version above the last one supported by my phone. So no, my old one is not "good enough" unless I upgrade more often than I'm comfortable with.

(comment deleted)
Funnily enough, I just had a meeting with a client asking why they would need two (and then likely more) servers doing the very same thing. Wouldn't that increase the price? Well, yeah.
I don't have the same view, in my mind you have created a single point of failure for _yourself_. I use Authy for MFA, which comes with a desktop app. Phones dead / missing? No problem, I can get OTP's from my laptop.

What about text messages? Google voice. Which of course has a desktop interface. I've been doing this for years. It's nice not to have to rely on a watch, or phone entirely - although they do make my life easier.

>Google Voice

Anecdotally, my bank (Wells Fargo) will not accept VOIP numbers for 2FA.

Yup. Chase does the same thing. They blackhole SMS to Google voice.
Yet another push to get a better bank, in addition to all their ridiculous fees. Ally blackholes Gvoice (messages just disappear), but gives you an email option to login. When calling customer service, they can do the challenge with a phone call rather than SMS. Capital One, Discover, and Alliant all seem to accept Gvoice just fine.

There of course is a major problem that Gvoice seems to be special, in that many places will accept Gvoice but not standards-based VOIP competitors. I even had a problem with someone on "Comcast mobile" not being able to text a Voip.ms number of mine.

Probably Comcast Voice. Comcast/Xfinity Mobile is a Verizon MVNO
Oh agreed, Chase is an awful bank in any dimension. I use a credit union for most things.

Chase owns the Amazon card, and 5% rebates on Amazon are worth dealing with the drama.

Same with USAA. This is pretty recent though.
USAA's "Cybercode" logon options are god-awful. It's Symantec VIP wrapped in their mobile app.

I have no idea why generic TOTP with backup codes is not an option for every site on the planet.

Many companies, not just financial are the same. They usually fail silently, too, so you sit around wondering if the text ever sent.
The issue is that some services insist on using their own app as a second factor. You can't choose to use a superior U2F YubiKey, for example. You are also not allowed to have their shitty app installed on multiple phones at the same time. If you lose your phone, you need to call them up to reset this.

To name and shame: BNP Paribas, one of the biggest banks in France.

> you need to call them up to reset this

My bank sent me a super key (some colorful QR code) to setup new 2FA devices, which I need to securely store somewhere.

It's interesting that a super key even exists. Normally the enrolment QR codes are one time use only.
This is incorrect.

A standard TOTP QR code can be used on multiple devices or saved and printed (and stored in a safe or something). There is no expiration date encoded in the QR; it is simply the shared secret for the TOTP app to use and some extra metadata like labels. See https://www.rfc-editor.org/rfc/rfc6238

It is a good idea to enroll multiple devices as a backup against failure, or to store it somewhere safe.

Sure, blame the user, that is the mature response whenever someone is pointing out that modern ID security is a topple tower.

Whatever technical solutions can be made don't really matter unless normal people can and do use them correctly. In any case, simply setting up another non-phone computer to do the job of the smartphone doesn't change the fundamental issue, it can still break, or get stolen, or some account can get closed for spurious reasons.

Especially when the user is a senior or a minor, blaming the user is not really the solution.
>"Sure, blame the user, that is the mature response..."

We're all here to make our own decisions. We're all here to seek enlightenment. I've made it very clear that the decisions that I have made have placed me where I don't have the same issues as OP.

I'm enlightening OP, and everyone who reads these comments, I'm not "blaming" anyone.

When you acknowledge that there is a problem in the system and have solved it by way of a third party application, why do you still place the blame on the user for not solving the problem the same way you did instead of the system for having holes in it
How does providing information have anything to do with placing blame?
> in my mind you have created a single point of failure for _yourself_

You are offloading decisions to the consumer, decisions that the consumer shouldn't have to take. They should be solved by systems design already.

you can't expect most consumers to make these same decisions — the vast majority of people are nowhere near as savvy as the typical hacker news commenter.
"in my mind you have created a single point of failure for _yourself_."

You are blaming them in your first sentence. You're both blaming and informing, your message would come off much more friendly without the first sentence.

TIL Authy has a desktop app. Thank you friend, said app will be somehow added to my setup and workflow as another option.
Can you get OTPs on Google voice? Last I read (years ago) they said don’t do that because some won’t support it
Some of the financial services I use do, some don't. Things like discord don't either which is also annoying.
(comment deleted)
"I use Authy for MFA, which comes with a desktop app"

Fantastic. A lot of banks (at least here in Canada) ONLY have text or phone call for 2FA (which is awful, but welcome to banking).

> in my mind you have created a single point of failure for _yourself_. I use Authy for MFA

Since Authy requires an SMS verification for setup, now you’ve made yourself vulnerable to SIM jacking. A better approach would be to use a TOTP generator that doesn’t verify you by SMS.

In general, there’s no point in people dissing SMS OTP as insecure and at the same time adopting a service that uses it.

Some of the most important things to secure, namely many banks, both

  * mandate MFA
  * use proprietary and/or insecure phone-based mechanisms
I agree with all my heart that TOTP with backups is ideal. I discovered Authy a few months ago, and only because of that app did I enable 2FA on Amazon, Discord, AWS, and a number of other sites that offered it.

Ask me how many of the six banking and investment apps I use support generic TOTP.

if only that was a way to prove who you are through some kind of system

oh I don’t know like private/ public key infrastructure that works well in crypto

solutions are clear

Nobody knows how to do a failure analysis. I used to work in r&d, now that I’m building websites and mobile apps the culture doesn’t care. Pointing out obvious design limitations will, more often that not, make me the asshole.

Not even trying to delay ship or get future rework scheduled, just having it documented is too much. Out of sight out of mind.

It's not that they don't know how to.

It's that there's an economic incentive to not care. So they don't.

Exactly, and the incentive is that customers do not care.

Build quality, keep redundancy, and in the next pandemic your business will flourish... unless you'll have had to close it before 'cause of people buying cheap and not good!

I assert that customers do care. Customers were quite annoyed that they couldn't buy vehicles, regardless of the price. Or do you just not remember the complaints?

On the business side, Toyota - the progenator of JIT manufacturing who still warehoused chips to deal with a shortage exactly like what happened - flourished at a time where others floundered. As an added bonus, they were still able to remain profitable prior to the shortage, despite having warehoused chips.

I think the "buy cheap not good" is more of a proactive excuse from companies who want to sell cheap goods to maximize their profit. Kind of an extension of the "never ask customers what they want, they'd just want better horses" or "they can have it in any color so long as it's black" tropes.

> I assert that customers do care. Customers were quite annoyed that they couldn't buy vehicles

This is not what I meant. Customers did not care, before the pandemic.

It's not that people don't know it's a SPOF. The issue is that if you fail in a way that is common, nobody blames you. Cell phone 2FA is so ubiquitous that when it doesn't work clients wonder if they're the one fucking up. We had a massive internet outage in Canada recently and nobody blamed individual shops for not being able to take credit cards, they blamed the phone company.

If you roll your own thing, even if it's objectively better, you're painting a target on your back. Now when your new thing fails it's your fault.

There's also something to be said for how modern financial capitalism has squeezed redundancy out of everything. Supply chains are just-in-time, businesses rely on a million vendors for everything, if a single link in the chain fails it usually has a huge blast radius because of broad consolidation in these upstream suppliers. Basically there are a lot of small businesses that depend on like 5 large companies (think Sysco, telecoms, etc) and if those large companies fail every small company fails in the same way, so there's no incentive to derisk (because your competitors will all also be failing in the same way).

Let's not forget the benefits either. Reduced redundancy is _good_ (as long as nothing fails in the chain, ofc). It enables society to make more, for lower costs. And it works remarkably well, overall.
But thats the problem being expressed - things will fail. Things will always fail, and ignoring that is the equivalent of burying your head in the sand and thinking your ass is covered.
If things go right 8 times out of 10 overall, that's a net win. Expected value - I get Product X $2 cheaper if things go right, but lose $6 if things go wrong. Expected value = 2*.8-6*.2 = .4. Overall net positive.
"The price for something is measurably higher if the manufacturer maintains a surplus of components with an inelastic supply" is not really true though.

Once the initial investment in creating a stock of those items is done, there's only a minimal storage cost. For things like chips for cars, that storage cost is probably measured in double-digit dollars a year to create billions of dollars worth of vehicles.

Is investing in a business to smooth over supply chain problems really so taboo to a modern businessman?

(comment deleted)
> modern financial capitalism has squeezed redundancy out of everything

If by "modern financial capitalism" you mean "customers who prefer cheaper to superior quality of product and/or service", then I agree with you.

If you're a naive economist and you think Homo Economicus is real.
How often are customers really given that choice, as opposed to companies making the decision on their behalf because customers are stupid (they just want a better horse after all).

We can't buy what doesn't exist after all.

> How often are customers really given that choice?

You and your competition produce two equivalent products. They sell theirs for $100: do you feel confident in pricing yours at $110 and base your commercial copy on "We rely on a more robust logistic chain in case of a world-wide catastrophe"?

This isn't asking the customer to make a choice, it's asking a businessman if they're willing to invest in their business.

And it is an investment, not an ongoing significant cost. Once you have a local surplus established, you can simply buy what you use going forward - the same as any other JIT manufacturing process - with a minimal ongoing cost for storage space.

As such, a businessman who wishes to invest in the in the longevity of the business over maximizing this year's profits would be happy to sacrifice some profit for the ability to remain solvent in the next supply chain breakdown.

Because there will be another one.

The choice is almost always there, but the overwhelming majority of people choose the cheap option. Seriously, for pretty much anything there's a cheap version and a more expensive, (usually) better quality version.
It's the "usually" that's the problem for me. Last time I bought a washing machine I was willing to pay 3x the cost of the cheapest model provided it came with a warrantee that was at least 3 times longer. But in fact all machines had the same pathetic 2-year warrantee, indicating to me the manufacturer didn't genuinely believe their more expensive machine was going to last any longer. So I went for a mid-range one that at least didn't look cheap and nasty, but probably will break down in a few years anyway (and then be more expensive to repair than replace).
> There's also something to be said for how modern financial capitalism has > squeezed redundancy out of everything. Supply chains are just-in-time,

Hence the automotive/chips and other recent shortages...

Are you implying we should have wasted billions manufacturing extra chips just in case there was a shortage and consumers didn't want to wait a year before buying a new car/truck?
My bet is the cost wold be on the hundreds of thousands (yep, globally). But if you really want to push the envelope, you can go with high single digit millions.
I don't see anyone demanding a planned economy.

I see people recognizing reality - JIT is efficient but fragile in the face of disruption.

Seems to me the sensible thing to do would be to recognize that for what it is and try to strike the right balance in an uncertain world. Even if your concerns are strictly commercial, a couple points margin in good times is unlikely to balance a year of massively screwed up supply chains.

Even the progenitors of JIT did not advocate for zero warehousing - they advocated for not warehousing components which could be manufactured on demand.

Chips do not fall into this category.

What makes you think the right balance hasn't already been struck? It seems rational to me that a pandemic followed by a chip shortage driven in part by crypto would be extremely unlikely, and if they had two years of extra stock on hand that would almost suggest to me they were too prepared (i.e. wasting money). Like if the zombie apocalypse strikes tomorrow, you probably will be unprepared, not because you're bad at planning but because this was too unlikely to have reasonably prepared for
> What makes you think the right balance hasn't already been struck?

Because it wasn't in the company I work for, and it wasn't at many of our suppliers, and it looks like similar things happened most everywhere else.

We've made a number of changes, both to how and where we source things, to how much of what we keep in stock, and changed processes to re-evaluate suppliers and overall state-of-the-market more frequently.

I know some of our vendors have as well, both because in some cases we asked them to, and also just from talking to them.

If your firm has achieved planning perfection, congrats. I mean that sincerely. But I don't think a lot of other places have.

So, a couple of companies did actually stockpile chips (Toyota was one IIRC), because it was a component whose manufacturing flexability is pretty minimal. It was financially lucrative for them, since they could sell vehicles at a time where no other manufacturers could.
Indeeed. Sometimes doing the right thing pays very well. :)
> Toyota was one Iirc

The irony runs deep with that tidbit.

For anyone wondering, just in time was first established by Toyota and other Japanese manufacturers in the 70s and 80s.
For areas it makes sense!

Not every single supply chain in a nation!

Maybe it's more that Toyota knows how to right-size their process, while most others are just cargo culting one superficial aspect of the method.

From the parent:

> because it was a component whose manufacturing flexability is pretty minimal

supply could just end permanently. some kind of plan would have bern reasonable in the old days but today?

in de 90's i had a business fail because the phone company never connected my land line (and kept lying about it) it would have failed a lot faster if there wasn't a pay phone in front of the building.

Shops could still fail back on cash a few years ago but now many have a card or a phone to pay and nothing else.

3-4 decades ago regular customers often got credit at their local store, bar or lunchroom.

We seem to increasingly do stuff without a plan B

Not wasted. Stocked by automakers, for their own use.

Car manufacturers have the nasty habit of keeping no stock —at all— even of inexpensive stuff like microchips, smd components, nuts, bolts... and ordering everything "just in time", while at the same time maintaining a steel-fisted strangle-hold on suppliers which are obliged to provide them what's needed when, or die.

Someone should probably have a stock, but it is not clear to me that it should be the automakers.

For those components that are used by multiple different automakers (and others) wouldn't it make more sense for the component manufacturers to be the ones stocking?

I'm personally ashamed that auto manufacturers are destroying the environment and making life difficult for all electronics manufacturers because they want to embed literally hundreds of micro-controllers into cars, just so that they can make it break when one single component fails.

This MCH speaker suggests 3 micro-controllers is all it takes to build a fully functional and road-safe electric car, and explains the current situation about auto manufacturing:

https://media.ccc.de/v/mch2022-77-electric-vehicles-are-goin...

>just so that they can make it break when one single component fails.

No, it's also so they can do really important stuff like remotely disabling your heated seats.

> Pointing out obvious design limitations will, more often that not, make me the asshole.

Being an "asshole" isn't always a bad thing, assuming you mean "frowned upon for providing dissent along lines of unhappy, but factual, technical realities which are applicable in the current context".

If this is the new definition of asshole, then I am the king of assholes.

As long as your new definition of 'asshole' also comes with a new definition of 'bad thing' that doesn't include 'will piss off your users and cause you/your client to lose money'...
Agreed. I think how you deliver your unhappy truths is 99% of keeping the other party from going bananas. There are very few things that cannot be reframed in a more positive light.

Being able to sell a "no" is much more important than being able to sell someone on a shiny piece of bullshit.

Asshole here too. Left previous job, people sent messages thanking me for being the only person asking hard questions.
Plenty of people know how to do failure mode analysis. In most webcentric scenarios, though, nobody cares because it's all about the average case. If 99 of your users have a great experience and 1 has a bad-but-not-bad-enough-to-make-the-front-page experience, that's a huge win over 100 users having an okay experience. I hate it too, but that's the market.
True!

It's Risk. Humans are typically insanely bad at understanding risk, how to assess it, and how to mitigate it.

For most, if something is risky, it's just a black box, perhaps with some odds, and it's either feared or ignored (or both).

Few understand the critical difference between using knowledge, skill, technology, and planning to manage and mitigate risk, vs rolling the dice and getting away with it for a long time.

Using knowledge, skill, technology, and planning to manage and mitigate risk has gotten humans to great heights - we can make entire careers living in environments in which random behaviors will kill us in seconds (e.g., aerospace, underwater, large construction, metals refining, etc.).

But most people think much more naively, and even do so in professional environments unless required otherwise (and even sometimes where they are). So, they just think that if something isn't obviously a risk, or only happens occasionally, ignore it.

This is just rolling the dice. Even if you get away with it for a long time, that only makes you more falsely confident and therefore more vulnerable. From the last mild pandemic, there are over a million dead and close to half million suffering long disease from this attitude.

And you see it in your work - you simply point out an obvious very damaging failure mode, even just to document it, and you get a hostile reaction.

I'm not sure what to do about it. Perhaps rock climbing should be a required activity in school, learning to viscerally manage risk, and showing that it is usually actually easy to to?

Dude, what? How many services require SMS 2FA again?

Your phone is indeed a SPOF. If you lose your phone, you're fucked in a variety of scenarios. To say nothing of services that require a custom app and accept nothing else.

Yep! I have all of the things above (yubikeys, many PCs, a couple voip numbers with SMS, ability to emulate Android on PC, a host of old smarphones...) still, if I lose the one smartphone on which -that- custom app is installed, I'm hosed.

And I can't even install the app on a second phone, because: ah, ha! Only one at a time! There is no installing two, Luke. Only one there will be. (There you go... quotation inception.)

Thanks for addressing me as "Dude" and using the f-word!

1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".

2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"

> Thanks for addressing me as "Dude" and using the f-word!

Sensitive, ha?

> 1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".

Nitpicking and strawman argument. They're both part of, and compounding, the same problem.

> 2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"

Sure they "should", but they're often not offered... even if you insist.

And more often than not, the alternative options available take weeks of phone calls and visits to the local (if you're lucky to have one) branch office of your /whatever service failed you/.

I hate to put this to you, but your post sounds like a whinge on my language, dude
This has been my point for the last 5 or 10 years. That's why I have a "home phone" with banking apps, 2FA and important stuff installed. It has no SIM card and never leaves home. For everything else I have my "street phone".
Many banking apps require a phone number/SIM card to operate, but assuming you can copy codes, etc, what happens when you want to use those apps out and about (or abroad) if the phone never leaves home?
> when you want to use those apps out and about

Fortunately, my lifestyle places me out of that use case.

Yes, but then again, I'm looking at seven older smartphones —right now— on my desk, and only one is even capable of running /all/ those apps.

I had to buy it just because of that. 'cause even my Huawei P-Smart 2021 (currently in my pocket and not among the others on my desk) can't run some of those pesky apps.

Then change the bank you deal with. At least in EU, this 2FA was due to PSD.

Please also note that any changes will impact some people. How often do you lose your smartphone? If every month then it is sad. You need to find a bank that still uses cheques etc.

No point in whinging. If something works for 90 % people then get used to it.

For example, I did not like joining facebook for my children's school nor whatsapp groups but did it as most of them did it.

Part of the point he's trying to make is that eventually there probably won't be a bank that isn't like this.
Did not world survive the ATM, pin, card revolution? Yes. Did 100% population like them. No. Did people lose cards ? Yes.

Yet we are here.

A phone is a lot more than an ATM or a plastic card. Some people don't want an expensive device that tracks you, potentially sucks you into distractions, and just flat out has a lot of undesired complexity. You shouldn't need one to do basic finances.

Also ATM's and credit cards didn't replace traditional methods, they're modern alternatives.

Furthermore a phone is the single one thing whose loss will cut you out of tens of services —at best—.

Cards are one-per-service. So if lose one, you lose access to one service.

Cards, you don't take 'em out of your wallet unless you have to use 'em.

Your wallet too, you don't leave it out on the table all the time while eating.

You don't take it out willy nilly to take selfies and panoramas, or to check the stupid notifications that you get every 3 seconds.

And when you do, it's only because you have to do wallet-y things, which you do —carefully—, perhaps even looking out for possible pickpockets and thieves.

All of the above don't need to be charged twice a day... in fact, not at all... and will still work as new, after a trip into the toilet, a drop from any height, a full blown stampede, or even a few cycles in the washing machine.

Your phone? Not so much.

And those slabs of glass and metal are often eye watering expensive. Enough to be more interesting to a thief, than even your wallet... All this, while we're continuously waving them around, in front of everybody...

So, do you really need to know how may times people "lose" their phones nowadays?

Yeah, and it's this kind of sheepish behaviour, all the "for me it works", and the blame-the-user attitude, that lets things like this go down hill all the time.
Any system will affect some one. Do you my grandpa liked remembering passwords or compute or even pin? One could even lose passport or money. Dont you have backup? Like keeping some cash in backpack and some inside underpants. Get another phone.

I don't even like using word documents but every govt document like tax in my country is Microsoft based.

If developers reading hn do not care why would others care.

BTW, if so many people lose smartphones then banks would be flooded by support calls and they would own up other non-smartphone 2Fa.

It’s a physical device with access control that is unique to a single human, three nines
Not true at all. If they are able to log into your e-mail, then things will start to fall apart. But just getting your phone will not allow anyone to break into your MFA secured accounts. Your phone is something you own, but they still need something you know (i.e. your password). I feel like you might get a more nuanced perspective by looking into security related topics, specifically around authentication.
The "nuanced perspective" here is that regular people don't use MFA authenticator apps. They use SMS 2FA, if anything. Once you accept that, you're right back to "smartphones as a SPOF."
Phones are encrypted and protected by a lock screen, or am I being naive?
I'd bet almost everyone is logged into email on their phone. If you can trigger a password reset over email, and can access the 2FA (SMS or TOTP app), you can get into just about anything.
What country are you in? I’ve lived in a few, and I don’t have any services that require my phone. Many have two-factor auth, but I just save the keys in my password manager which I can access from any of my devices.
It’s a trade-off. It’s very convenient for me to pay with ApplePay. But there’s a risk I won’t be able to pay for groceries if my iPhone is out of juice.
Because it is indeed the thing every one carries almost all the time. Can you do these things without your passport/ID/driving license before smartphone appears?
We've been perfectly able to do all of the above, for at least a couple of decades, using any computer and even smartphones of our choosing, until they started forcing those stupid phone-apps down our throat, as if we where in a galaxy far, far away and... "This is the way!"
Next time you upgrade, keep the old phone. Have both phones set up so they can do mfa. If you are doing OTP, make sure to use an app that allows you to backup/export. AndOTP is very good if you're an Android guy.