There are three doors, one has a prize and the other two are empty. You pick a door (say, Door 1). Monty then says that his assistant will move whatever is behind Door 2 (if anything) to Door 3. He then opens Door 2 to show you it is empty. Would you switch to Door 3? Of course you would.
But Monty’s assistant is lazy, so instead of moving the contents from behind one of the closed doors to the other, he just asks Monty to open the one that he knows is already empty. The result is the same.
Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.
Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.
Security is only as strong as the weakest link, and SMS is very weak.
The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.
I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.
It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)
In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.
> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.
You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.
No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.
It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!
So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.
Stop calling it “rideshare”. The driver is a not “talking a ride” and “sharing” it with you. They are a paid driver. This is a taxi service — not a carpooling service.
