2FA workaround suggestions, sms to email or similar?

[sammyc]

Not to detract from the usefulness &c of the above but given that most of that is not exactly speaking my language (see aforementioned not being one of 'us lot', fancy tech solution wise), and that I'm a gnat's crotchet away from telling firms what to do with their 2 3 4 or 99 factor authorizations & going off grid - does anything about FIDOs etc etc apply to what I do when ebay or whoever won't budge til you give them a number and/or say they 'need to contact me by SMS', full stop? I assume full stop, unless they are keeping 6 sneaky alternatives from me. I take all the SMS vulnerability on board, and given that I don't want to use it either, what is answer..?

[watercooled]

Not if companies refuse to accept sensible alternative 2FA methods; you're stuck with whatever they want you to use.

I did realise my post didn't directly address the OP, but rather 2FA options in general for when they are offered.

Many will have an option to 'remember' devices so you shouldn't have to repeatedly enter codes etc once you're signed in (unless you're removing cookies on browser exit or something). Transactions may prompt you to enter again though. 2FA isn't something that's forced on customers as a way of intentionally antagonising them, it's a response to account breaches, largely facilitated through scams, phishing, poor password hygiene (reusing passwords, bad passwords, etc.) Many, particularly types like SMS, are not infallible, but they're better than nothing. There are legal mandates for them in some cases: https://www.itpro.co.uk/two-factor-a...sca-under-psd2

I would urge caution with sms to email services. For one, you're probably not gaining much in terms of practicality anyway as you still need to enter the code. However you're also giving another third party access to that code so need to be sure you trust them, and you need to know whether you have any right to that telephone number, because you'll be rather stuck if you lose access to the number. There may also be problems if organisations such as banks, who do have that closer integration I described earlier, blacklist such services. It's just a guess, but I suspect they might.

[sammyc]

Ta I wasn't saying that you hadn't answered the question, so much as just asking if there is a way to turn the methods you mention to my advantage in the case of mobile number-insisters; because it would probably be beyond me to see how unless it was explained to me outright. If no then as you say I am probably stuck with grudgingly handing over a mobile & lump it because I (also grudgingly) grant that sms to email is not a tiptop answer - as per the fatal hitches I already mentioned, & that you mention, & no doubt more besides. Was just hoping, but realistically against hope I suppose, for a tidy way around the whole thing. I don't dispute the for your own good nature of 2FA, I'm just narked it involves me handing over a number I wouldn't otherwise go out of my way to have. I suppose in an ideal world I would at least like them to say we will need a mobile number, sorry about that, can't be helped.

Re remembering devices, that's fine if things work as they should (you only have to google 'paypal' and 'trust this device') - Ebay are currently sending me temporary codes by email to 'verify my email and finish setting up my account' - repeatedly. I mean to me, the layperson, that says one-off - either they're setting up my account over & over, or it's a wrongly worded email.

Anyway it is what is it &c.

[watercooled]

Yes Paypal is one I had in mind when saying about transactions prompting you for codes. Some others will also ask for the full authorisation if accessing certain account details e.g. security/sign-in information.

In theory, companies wanting a mobile number specifically for 2FA could (and you could certainly argue, should) use it for that alone. But there are examples of where this has been taken advantage of, frustratingly (but understandably) driving more people away from wanting to use it: https://arstechnica.com/tech-policy/...to-target-ads/