Ask HN: Why did smartphones become a single point of failure?
i can't log in to any of my banks without my phone. Most of the systems in my workplace also require phone app authentication. I can't do any of those things with just a PC or laptop. Smartphones being the smallest and portable are surely the most lost and stolen. If someone got a hold of my PC or laptop - they would be able to do some damage, but not even close to if they were able to access my phone. Everything everywhere nowadays requires some app.
288 comments
[ 1.7 ms ] story [ 173 ms ] threadDon't know about banks in Europe but in USA, I can log into Bank Of America and JP Morgan Chase without any phone authentication.
If I reformat my harddrive or buy a new computer and the bank doesn't recognize the web browser because no previous cookie has been found, the website will generate a one-time code and send it to my email address. I then enter that security code and the web browser is "recognized" without further issue. The smartphone was not needed in any step.
EDIT ADD: I did open my bank accounts before 2007 and thus before the smartphone era. Because of that, there may be a possibility that my logins are "grandfathered in" to not require any smartphone app authentication. It's possible that opening new accounts today with BofA/Chase require smartphones but somebody else would have to confirm/deny that.
In my case - You enter your unique ID (6 numbers), then I’ve to type 4-number PIN on my phone. There’s also verification-number shown on both sides, to compare authenticity . When approving payments, it also shows details and requires longer PIN code.
Much easier than earlier versions.
And authentication provider can be used at Insurancy, e-government, e-signing and other services.
Cryptographically, the idea of a discrete piece of hardware that uses the chip in your debit card to generate secure responses is fairly sound. And if smartphones didn't exist, it would be an unquestioned piece of technology that might even be commodified to the point that any such device could be used by all banks in the country. But smartphones exist, and having the customer loan the banks their hardware (which is often replaced within five years, so free updates too!) is quite attractive. No more hardware to support!
In the past a lot of banks here used OTP scratch cards, and would automatically send you a new one in the mail when you used one of the 10 last codes or so on the card.
Authenticating with bank OTP also work for government and other stuff. (Common here as there is no state authentication system other than some failed id cards afaik.)
Also if all else fails I can go in to the bank and take care of things.
I will never bank with an institution that requires SMS for 2FA.
I just logged into Chase via desktop web browser and there's not a 2FA requirement.
I also deliberately used a different computer and got the familiar security prompt of "We don't recognize this device": https://imgur.com/a/jKM4MPq
I see that sending the challenge code via email is not in the list but there's an option to call them for it. It's more inconvenient but it looks like neither SMS text nor a mandatory Chase smartphone authenticator app is required.
I don't want a micro-computer in my pocket, I stay at the computer all day anyway, a better one.
Why can't I do with a real computer what it is possible to be done with a phone?
A smartphone is just a tracking device, and it is terrible for privacy - but great for advertisers and similar industries.
Otherwise, a computer should be able to do everything a smartphone does.
And it's so sad.
Plus, half of the 2fa apps from the various services (most of which just want their very own app) work only on recent phones and most won't even install without google-services.
And if you lose your phone, you're toast!
So, it's not enough to have one smartphone always at hand...
You must have a backup phone too!
... and both must be fairly new... and they must both bear the all-dreaded google-battery-eating-spyware...
I lost my iPhone 7+ recently and had no idea how attached I was to that phone. Being someone conscious of infosec I had iCloud turned off and what I thought were minimal apps installed. That said, and with the fingerprint reader/my 18 char PW, I'm pretty sure no one besides a nation state/NSO could get into my phone. So losing it wasn't really a big deal except for the loss of contacts (had most on a old phone) and being locked out of my email (thanks 2FA).
Unlike you, I haven't gone fully phone free. But I do now have a free Android phone that has nothing on it that I can be locked out of. No medical, no banking, nothing personal except for email. And if I felt I could get away with it, I'd have no phone at all.
[1] not only it’s convinient, it’s also similar to what all the future predictions regarding technology said. Some small gadget or bracelet connecting over air and doing stuff.
It just so happens that most of these backup plans are incredibly inconvenient and might take a long time and effort to get through them.
Politically, there is no will for a national identity verification type service as infrastructure. And this way, all the work gets outsourced to ATT/Verizon/T-Mobile, and politicians get to say “it is not our fault” and telecoms get to say “it is not our job”.
Super conservative types are worried about mark of the beast, etc. Super progressive types are worried about folks on the margins of society being able to get ID.
I think that this is something that has only become insisted upon in very recent history (when it was seen as a technical and social possibility), and that governments functioned just as well without. Ways of identifying strangers should be annoying, tedious, and expensive.
edit: When I was a kid, you could spend a week in jail and be released without the justice system having any way to verify who you were.
edit: What I'm really saying is that the "national identity verification type service" is as much a problem as the corporate databases, which it's also not really distinct from (the corporate databases work as a national identity verification service.) The problem is this desire to account for and control everything. Everyone with a little power is overcome with data FOMO.
The real issue is there needs to be some simple standard workflow for when the device (be it smartphone or otherwise) fails. And in this case the government pretty much already is providing that service, or at least the backbone for it. "You lost your phone? Well send us a picture of your driver's license or passport plus a selfie in [this] pose from a different trusted number and, after we try calling your old number just to make sure it's really lost, we'll use the new number." Financial institutions already have the infrastructure for photo-id confirmation for KYC regulations, and selfie verification is widely used for dating apps. Yeah if someone breaks your phone, steals your id, and can deepfake you then they can probably steal your identity, but someone in that position can probably already steal your identity.
Nah, we don't need that. We've been doing without that for thousands of years.
To make things worse, if I install the app for my swiss bank on a different phone, I need to wait for snail mail to get the activation code.
The only thing I currently need my phone for is Google's new device login and even that goes to my tablet too.
It also supports SteamGuard TOTP.
Browser integration works nice, but not as smooth as Apples Keychain autofill. If you go hosted you will need a premium subscription. If you are okay self hosting vaultwarden[2] supports TOTP as well.
[1] https://bitwarden.com/help/authenticator-keys/ [2] https://github.com/dani-garcia/vaultwarden
Creating redundancy for every dependency is not always practical or economical.
Strings on your guitar can be readily replaced, and again, it's not gatekeeping you from your finances or your employment (unless you're a musician, but in this case I'm sure you'll have spare strings and instruments so that if one breaks you can carry on without much thought).
Not all of us live in an area where those options are available. But I can transport your arguments back to the OP post. You can still call your bank from someone else's phone. You can still walk into a bank branch or use an ATM. Using their website is just a convenience. If you lose your phone you can just get a new one and carry on without thought (replace it).
Firstly with covid-19 many banks don't accept walk-ins and have a long waiting list for appointments.
Secondly, what if the bank or other service i'm using has no physical offices at all?
Or what if they're simply too far away and I'm an octogenarian, perhaps with no driving license? Eh? Am I supposed to take an uber to somewhere 100/200 miles away just because morons are given decision-making power and myopic online-apologists on HN even make excuses for them?
Take the mobile app dependency away from banking. Then what? There's a dependency on having a computer. A dependency on having power and internet. Why did the banking system build around these single points of failure?
The reality of system design dictates that you measure risk in terms of what is acceptable vs not-acceptable, the solution on whether it is practical vs not-practical, and the implementation on whether it is economically viable. Raising a stink because your bank wants you to use a mobile phone for verification is like complaining that your car requires gasoline to work. Are there other ways of solve the problem? Sure. Did the solution they landed on meet their requirements, yes. I hardly consider them morons for going with the cell phone approach.
A computer, but not necessarily the one authorised computer. You can use a public one in a library, a friend's, your employer's, etc. Not the same as your own and only authorised smartphone.
> A dependency on having power and internet.
This is honestly not even an argument, and they're not a SPOF. Both the power grid and the Internet have redundancies built-in.
> is like complaining that your car requires gasoline to work.
Again, it's not. The smartphone is used as a single authorised device. Gasoline works regardless of which station you purchase it from. Out of petrol? Fill it up at the nearby station and carry on. Or preferably, don't let it run out in the first place.
> I hardly consider them morons for going with the cell phone approach.
I don't consider them morons either. That's not to say I don't recognise this as a weakness.
A mobile phone works regardless of which store you purchase it from. Lost your phone? Pickup a new one at a nearby store and carry on. Or preferably, don't lose it in the first place.
It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorise the new one before you can use their services.
In the case of the car, it's enough to just fill up the tank with petrol purchased anywhere. It's ready to carry on at that point.
> It's not enough to buy a new phone. You need to contact every single service that's bound to the lost/stolen/broken phone and authorize the new one before you can use their services.
Are you referring to changing phone numbers maybe? If so, that is a totally different topic from OP and also from my comments.
I once dropped my phone in a lake (I'm clumsy) and was locked out of most things for a few weeks.
I prefer TOTP for most things. Keepass supports them across platforms, but Aegis has a better experience on mobiles.
With a normal SIM all you need is the device you're going to put it into. And a needle/paperclip...
You just need an internet connection to get the QR code for the esim (though I have a paper version I can scan as well). The beauty is I don’t have to swim to the bottom of a lake to get the original phone to get the original sim. I can just scan the piece of paper and put my pin into the new phone. Though I think no matter what, I would have to go online to give the IMEID so the phone will successfully activate.
But I had much dumber failures:
- Walk on a log to get a better picture of a lake, slip, and drop the phone in freezing water. Took multiple weeks to regain access to everything.
- The humidity presses buttons in my pocket. Too many passcode attempts, iPhone factory resets itself while abroad. Lost a bunch of unsynced photos that time.
The phone number is scarier than the phone itself, since backup sim cards aren't a thing most people do, and replacement might be slow or impossible till you get back.
And I’m not mentioning the US because its unique in this attribute.
In ‘05 I was traveling in the EU, across the open borders, and got checked by customs agents because of a bombing in, I believe, London. Thought it was weird but, whatever… Later on I pieced together what happened because even if they were only doing spot checks it’s not like I don’t perfectly blend in with Europeans.
A bit of an aside, custom agents absolutely loved my customs stamp from Iraq back then. Well, aside from the Dutch.
Whence through customs etc, reinstall only the essential apps for the trip, just remember your passwords or your single password to your password manager.
You can also spread about an encrypted set of instructions amongst free email hosting.
Some people would say it's a hassle, but it keeps customs' nose out of my private life. I'm getting to an age where it's not necessarily weird to have the appearance of barely any online presence.
I'm not joking, look it up: https://www.google.com/search?q=phone+unlocked+at+customs
It's a relatively recent incident and a story I'll be telling in detail at some point soon, I hope.
sure, but being protected from losing your digital prowess comes at a high utility per weight ratio.
> And of course my bank only lets me pair one phone per account.
that's a bummer. I can pair several. just need to scan some qr code.
This is a big part of my threat model.
It is baffling to me that banks of all places seem to have the absolute shittiest implementations of 2FA I have ever experienced - if they even have it.
FWIW I use 2FA a lot more now that I discovered Authy, which backs your 2FA tokens (encrypted) to the cloud. There is also 1Auth, I believe the name is, which allows you to do offline encrypted backups.
Most banks can supply 'tokens' that generate a random-number that acts as a one-time verification.
https://pic.pimg.tw/abcwithyou/1348639177-1831387207.jpg
They are invaluable if you travel internationally as sometimes verification codes sent by text will be hopelessly out of date by the time you receive them. (If you receive them at all, that is.)
Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)
Or at least 2008 when a set of vulnerabilities were published.
https://en.m.wikipedia.org/wiki/Signalling_System_No._7
NIST describes a framework for required authenticators for different levels of trust. It’s a good starting place for understanding what represents secure practices vs theater.
In the previous job, you were sent the form for 24x7 building access and were free to drive into work within the on-call response period. You were also reimbursed for your cell phone, that was the bronze handcuff.
I only use a work phone for work business. If my work requires me to use a phone, I require a work phone.
Carrying two phones is a small price to pay to avoid worrying about an overzealous employer's IT staff.
https://en.m.wikipedia.org/wiki/City_of_Ontario_v._Quon
https://en.m.wikipedia.org/wiki/O%27Connor_v._Ortega
Even if the business doesn’t want to audit your phones, a litigation event could force the issue.
To make matters worse, TOTP is easy to copy for 'backup' purposes, so it's really not all that good (but still orders of magnitude more secure than SMS), but people are now actively encouraged to use multi-device TOTP like authy which practically invalidates it as a separate factor.
There are of course practical implications as well. Giving everyone a Yubikey is problematic due to cost, same with smartcards and readers at every workstation (the card isn't the problem, replacing everything with readers and changing the authentication system to accept smartcards is). RSA SecureID is expensive too, and essentially just TOTP. You could only use FIDO-enabled devices like the ones with secure enclaves, but that has the same problem as smartcards.
One thing that happens a lot around here is people carrying two phones, which doesn't solve anything but does shift the work/blame/cost on the company because everything will have to be done on 'their' device. This is a bit impractical because now you're constantly walking around with two phones, or have to manage which phone you happen to have on you.
On top of everything else: all other second factors can be lost too, that is by design because it is supposed to be 'something you have'.
The problem is how the phone is irreplaceable and non-redundant, and not that it can be lost.
The problem that causes the symptom is pass-the-audit mentality in the implementation of MFA. You have many options to make this "better" like picking any push, FIDO, U2F and TOTP method at authentication time. Lose 3 of those and you still have one available for the normal flow. And then there are backup codes that most people don't actually print and store because for some reason they are either unaware of it or believe that it will never affect them.
I've had pushback from the employer about this a few times, but in the end, there's nothing they can do.
This means using one of your older devices for it if available, otherwise you can purchase the cheapest unlocked one sold at an outlet store and consider it a cost of doing business like clothing.
https://www.mygovid.gov.au/
Banks mostly but these days employers too. Getting a separate device, or multiple, seems like the least horrible options to me.
Turns out everyone wants a piece of my data I in the name of convenience. Only, it's their convenience, not mine.
This is such a perfect summary of the situation; thank you for formulating it so clearly. To me is insane that we are switching to a perfectly open and interoperable standard to the walled gardens of iOS and Androids.
I haven't tried it but an Android emulator should allow you to use apps without a smartphone.
If you can, so can anyone. Although using a unique/rare password (globally, not just among your accounts) is probably enough to make this a non-issue.
I understand why HN readers would want to maybe use an emulator to avoid having a phone but really what other use case is there than that or a scammer trying to spoof you.
You're logging in with a Google Account and when the account gets locked it's game over with no chance of appeal.
https://news.ycombinator.com/item?id=31070914
And even here, my bank accepts two (or more) devices with an active instance of their app. So the solution to this spof is the same as always: redundancy. You need a second phone. Your old one is probably good enough.
Some of us use the same phone for years, until it loses OS/security updates. My current phone is 6 years old. By the time I upgrade, my current phone will not be able to run current authenticator or bank apps, which will target an iOS version above the last one supported by my phone. So no, my old one is not "good enough" unless I upgrade more often than I'm comfortable with.
What about text messages? Google voice. Which of course has a desktop interface. I've been doing this for years. It's nice not to have to rely on a watch, or phone entirely - although they do make my life easier.
Anecdotally, my bank (Wells Fargo) will not accept VOIP numbers for 2FA.
There of course is a major problem that Gvoice seems to be special, in that many places will accept Gvoice but not standards-based VOIP competitors. I even had a problem with someone on "Comcast mobile" not being able to text a Voip.ms number of mine.
Chase owns the Amazon card, and 5% rebates on Amazon are worth dealing with the drama.
I have no idea why generic TOTP with backup codes is not an option for every site on the planet.
To name and shame: BNP Paribas, one of the biggest banks in France.
My bank sent me a super key (some colorful QR code) to setup new 2FA devices, which I need to securely store somewhere.
A standard TOTP QR code can be used on multiple devices or saved and printed (and stored in a safe or something). There is no expiration date encoded in the QR; it is simply the shared secret for the TOTP app to use and some extra metadata like labels. See https://www.rfc-editor.org/rfc/rfc6238
It is a good idea to enroll multiple devices as a backup against failure, or to store it somewhere safe.
Whatever technical solutions can be made don't really matter unless normal people can and do use them correctly. In any case, simply setting up another non-phone computer to do the job of the smartphone doesn't change the fundamental issue, it can still break, or get stolen, or some account can get closed for spurious reasons.
We're all here to make our own decisions. We're all here to seek enlightenment. I've made it very clear that the decisions that I have made have placed me where I don't have the same issues as OP.
I'm enlightening OP, and everyone who reads these comments, I'm not "blaming" anyone.
You are offloading decisions to the consumer, decisions that the consumer shouldn't have to take. They should be solved by systems design already.
You are blaming them in your first sentence. You're both blaming and informing, your message would come off much more friendly without the first sentence.
Fantastic. A lot of banks (at least here in Canada) ONLY have text or phone call for 2FA (which is awful, but welcome to banking).
Since Authy requires an SMS verification for setup, now you’ve made yourself vulnerable to SIM jacking. A better approach would be to use a TOTP generator that doesn’t verify you by SMS.
In general, there’s no point in people dissing SMS OTP as insecure and at the same time adopting a service that uses it.
Ask me how many of the six banking and investment apps I use support generic TOTP.
oh I don’t know like private/ public key infrastructure that works well in crypto
solutions are clear
Not even trying to delay ship or get future rework scheduled, just having it documented is too much. Out of sight out of mind.
It's that there's an economic incentive to not care. So they don't.
Build quality, keep redundancy, and in the next pandemic your business will flourish... unless you'll have had to close it before 'cause of people buying cheap and not good!
On the business side, Toyota - the progenator of JIT manufacturing who still warehoused chips to deal with a shortage exactly like what happened - flourished at a time where others floundered. As an added bonus, they were still able to remain profitable prior to the shortage, despite having warehoused chips.
I think the "buy cheap not good" is more of a proactive excuse from companies who want to sell cheap goods to maximize their profit. Kind of an extension of the "never ask customers what they want, they'd just want better horses" or "they can have it in any color so long as it's black" tropes.
This is not what I meant. Customers did not care, before the pandemic.
If you roll your own thing, even if it's objectively better, you're painting a target on your back. Now when your new thing fails it's your fault.
There's also something to be said for how modern financial capitalism has squeezed redundancy out of everything. Supply chains are just-in-time, businesses rely on a million vendors for everything, if a single link in the chain fails it usually has a huge blast radius because of broad consolidation in these upstream suppliers. Basically there are a lot of small businesses that depend on like 5 large companies (think Sysco, telecoms, etc) and if those large companies fail every small company fails in the same way, so there's no incentive to derisk (because your competitors will all also be failing in the same way).
Once the initial investment in creating a stock of those items is done, there's only a minimal storage cost. For things like chips for cars, that storage cost is probably measured in double-digit dollars a year to create billions of dollars worth of vehicles.
Is investing in a business to smooth over supply chain problems really so taboo to a modern businessman?
If by "modern financial capitalism" you mean "customers who prefer cheaper to superior quality of product and/or service", then I agree with you.
We can't buy what doesn't exist after all.
You and your competition produce two equivalent products. They sell theirs for $100: do you feel confident in pricing yours at $110 and base your commercial copy on "We rely on a more robust logistic chain in case of a world-wide catastrophe"?
And it is an investment, not an ongoing significant cost. Once you have a local surplus established, you can simply buy what you use going forward - the same as any other JIT manufacturing process - with a minimal ongoing cost for storage space.
As such, a businessman who wishes to invest in the in the longevity of the business over maximizing this year's profits would be happy to sacrifice some profit for the ability to remain solvent in the next supply chain breakdown.
Because there will be another one.
Hence the automotive/chips and other recent shortages...
I see people recognizing reality - JIT is efficient but fragile in the face of disruption.
Seems to me the sensible thing to do would be to recognize that for what it is and try to strike the right balance in an uncertain world. Even if your concerns are strictly commercial, a couple points margin in good times is unlikely to balance a year of massively screwed up supply chains.
Chips do not fall into this category.
Because it wasn't in the company I work for, and it wasn't at many of our suppliers, and it looks like similar things happened most everywhere else.
We've made a number of changes, both to how and where we source things, to how much of what we keep in stock, and changed processes to re-evaluate suppliers and overall state-of-the-market more frequently.
I know some of our vendors have as well, both because in some cases we asked them to, and also just from talking to them.
If your firm has achieved planning perfection, congrats. I mean that sincerely. But I don't think a lot of other places have.
The irony runs deep with that tidbit.
Not every single supply chain in a nation!
From the parent:
> because it was a component whose manufacturing flexability is pretty minimal
in de 90's i had a business fail because the phone company never connected my land line (and kept lying about it) it would have failed a lot faster if there wasn't a pay phone in front of the building.
Shops could still fail back on cash a few years ago but now many have a card or a phone to pay and nothing else.
3-4 decades ago regular customers often got credit at their local store, bar or lunchroom.
We seem to increasingly do stuff without a plan B
Car manufacturers have the nasty habit of keeping no stock —at all— even of inexpensive stuff like microchips, smd components, nuts, bolts... and ordering everything "just in time", while at the same time maintaining a steel-fisted strangle-hold on suppliers which are obliged to provide them what's needed when, or die.
For those components that are used by multiple different automakers (and others) wouldn't it make more sense for the component manufacturers to be the ones stocking?
This MCH speaker suggests 3 micro-controllers is all it takes to build a fully functional and road-safe electric car, and explains the current situation about auto manufacturing:
https://media.ccc.de/v/mch2022-77-electric-vehicles-are-goin...
No, it's also so they can do really important stuff like remotely disabling your heated seats.
Being an "asshole" isn't always a bad thing, assuming you mean "frowned upon for providing dissent along lines of unhappy, but factual, technical realities which are applicable in the current context".
If this is the new definition of asshole, then I am the king of assholes.
Being able to sell a "no" is much more important than being able to sell someone on a shiny piece of bullshit.
It's Risk. Humans are typically insanely bad at understanding risk, how to assess it, and how to mitigate it.
For most, if something is risky, it's just a black box, perhaps with some odds, and it's either feared or ignored (or both).
Few understand the critical difference between using knowledge, skill, technology, and planning to manage and mitigate risk, vs rolling the dice and getting away with it for a long time.
Using knowledge, skill, technology, and planning to manage and mitigate risk has gotten humans to great heights - we can make entire careers living in environments in which random behaviors will kill us in seconds (e.g., aerospace, underwater, large construction, metals refining, etc.).
But most people think much more naively, and even do so in professional environments unless required otherwise (and even sometimes where they are). So, they just think that if something isn't obviously a risk, or only happens occasionally, ignore it.
This is just rolling the dice. Even if you get away with it for a long time, that only makes you more falsely confident and therefore more vulnerable. From the last mild pandemic, there are over a million dead and close to half million suffering long disease from this attitude.
And you see it in your work - you simply point out an obvious very damaging failure mode, even just to document it, and you get a hostile reaction.
I'm not sure what to do about it. Perhaps rock climbing should be a required activity in school, learning to viscerally manage risk, and showing that it is usually actually easy to to?
Your phone is indeed a SPOF. If you lose your phone, you're fucked in a variety of scenarios. To say nothing of services that require a custom app and accept nothing else.
And I can't even install the app on a second phone, because: ah, ha! Only one at a time! There is no installing two, Luke. Only one there will be. (There you go... quotation inception.)
1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".
2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"
Sensitive, ha?
> 1. OP is asking smartphone; SMS 2FA does not require a "smartphone", but "mobile phone".
Nitpicking and strawman argument. They're both part of, and compounding, the same problem.
> 2. Alternative options mentioned above should you be in the misfortune of losing your... "phone"
Sure they "should", but they're often not offered... even if you insist.
And more often than not, the alternative options available take weeks of phone calls and visits to the local (if you're lucky to have one) branch office of your /whatever service failed you/.
Fortunately, my lifestyle places me out of that use case.
I had to buy it just because of that. 'cause even my Huawei P-Smart 2021 (currently in my pocket and not among the others on my desk) can't run some of those pesky apps.
Please also note that any changes will impact some people. How often do you lose your smartphone? If every month then it is sad. You need to find a bank that still uses cheques etc.
No point in whinging. If something works for 90 % people then get used to it.
For example, I did not like joining facebook for my children's school nor whatsapp groups but did it as most of them did it.
Yet we are here.
Also ATM's and credit cards didn't replace traditional methods, they're modern alternatives.
Cards are one-per-service. So if lose one, you lose access to one service.
Cards, you don't take 'em out of your wallet unless you have to use 'em.
Your wallet too, you don't leave it out on the table all the time while eating.
You don't take it out willy nilly to take selfies and panoramas, or to check the stupid notifications that you get every 3 seconds.
And when you do, it's only because you have to do wallet-y things, which you do —carefully—, perhaps even looking out for possible pickpockets and thieves.
All of the above don't need to be charged twice a day... in fact, not at all... and will still work as new, after a trip into the toilet, a drop from any height, a full blown stampede, or even a few cycles in the washing machine.
Your phone? Not so much.
And those slabs of glass and metal are often eye watering expensive. Enough to be more interesting to a thief, than even your wallet... All this, while we're continuously waving them around, in front of everybody...
So, do you really need to know how may times people "lose" their phones nowadays?
I don't even like using word documents but every govt document like tax in my country is Microsoft based.
If developers reading hn do not care why would others care.
BTW, if so many people lose smartphones then banks would be flooded by support calls and they would own up other non-smartphone 2Fa.