I think I’m noticing a trend with companies not preferring passwords, but not replacing them with something more secure.
Today, I had to make a payment on Steam. They prompted me to pay with Paypal, and I had to sign in. Paypal’s first choice for my login was to send me a text message, rather than using my password. And AFAIK there’s no way to tell Paypal they should require my 60+ character random password instead of relying on my phone.
Is this somehow considered more secure?
Two-factor authentication is considered more secure than a password. Passkeys even more so.
But a text message isn’t a second factor if it’s not asking for a password, is it?
Factors for security are “something you know,” “something you have,” and “something you are.” A password is “something you know.” A text message is effectively “something you have.” And biometrics is “something you are.”
Is swapping “something you have” considered significantly more secure than “something you know”?
I don’t see how an SMS message can be more secure than a password. In fact, using SMS for two factor authentication is probably the least secure 2FA available.
I’d assume the metric here isn’t security but successful logins. And by that metric phone code is much more likely to succeed
It is because in theory a second factor is something you have or something you know.
In theory you should always be in possession of your phone with your SIM card (or eSIM). But we’ve see how fallible that can be.
Recently a court in Spain fined Vodafone 200,000 Euros for allowing a third party to transfer a phone number to a different person without the authorisation of the user. Maybe if these punishments happen more often, carriers will tighten up their processes.
/tangent
I agree with you @webwalrus a text message is less secure than a strong password.
Yes, I’m seeing this more and more places. I hate having to take the extra steps to just be able to log in with a password. (Or password + 2 factor if enabled.)
I’ve seen something like this offered as an option, but I’ve ignored it so far. And if/when it is no longer an option I will stop doing business with the company. Especially if it is a bank or credit card, etc. company.
But can you have a “second factor” if you’re dispensing with the “first factor”? 
Or put a bit more snarkily, those two things are “second factors” because nobody thinks a company is stupid enough to not bother to ask for a password first.
I agree that as far as second factors go, your phone is a pretty good one. But switching from “we’ll check your password and then verify with a text message” to “anybody with access to your phone can log in, whether or not they know your password” seems like a step in the wrong direction.
Paypal’s first choice for my login was to send me a text message
Craigslist has done something like this for several years now and I don’t like it either.
Its not just about what’s most secure at its best, its also about what’s least secure at its worst. SMS is not as secure as a strong unique password but its more secure than a weak and/or widely reused password. Passwords essentially have both a higher ceiling and a lower floor for security risk than SMS.
Some companies presumably feel that enforcing a minimum level of security across all users leads to more collective gains.
Don’t forget too that some services will have additional heuristics involved, whereby they ask for additional factors if someone tries to access with an unfamiliar location/IP/machine/time of day/etc.
And of course there’s the whole security/convenience angle to consider.
For those of us set up with a good system for handling passwords & passkeys it can be annoying, as its both more effort and less secure to use a different system. But companies have to think about all their users, not just those set up to maximise security.
They call this passwordless logins. I think it is fine for something like a subscription to a newspaper website where I don’t personally care if someone else uses my login to read it. But it is definitely less secure and I wouldn’t like it on a website where I make purchases with a stored credit card. Or God forbid my bank, but financial institutions are smarter than that.
You are of course technically correct.
However, the most common use-case being solved for are people with less tech skills and security awareness than most people on here. At this point in time, I know that at least the Apple iPhone is pretty easy for anyone to secure with biometrics. I would expect Androids to be on an equal footing here. So for 99+% of transactions, an SMS code (hopefully with a short expiry after issuance) is probably considered sufficiently secure.
Most importantly, it reduces support calls and thereby cost for the struggling startup that is PayPal. (/s)
I just tried logging into PayPal. For me, passkey is the best way. But, below the login button there’s text: “try another way”, Would that lead you to a password choice?
Many users are taking better care of keeping their phone number than keeping their passwords secure - let alone choosing secure passwords in the first place (ones that differ from their online gaming account, for instance).
Also, a code sent by text message is only valid for a few minutes, I suppose. As opposed to a password that may not have been changed in years and been compromised (again, possibly through another account that PayPal doesn’t even know of but that uses the same email address).
I get frustrated with this too and have a related experience. I travel internationally a few times a year and usually use an eSIM for data since it’s much cheaper than sticking with my U.S. provider. But SMS while abroad while on a different SIM is unreliable—sometimes they come through, sometimes not. (iMessage on Apple devices is fine.) The problem is that logging into accounts from abroad almost always triggers 2FA, and if the code goes by text, I can be locked out completely.
Another issue with sms for security is when you change your phone number and their system won’t you update it.
I’m looking at you, ticketmaster.
I’m going to have to abandon my account and create new one just to fix that.
Ticketmaster are real scammers. They block VPNs and bann Proton as an email provider. I almost couldn’t create an account with them because there were so many obstacles.
You actually can’t use Proton with them? That’s crazy.
I don’t like the VPN restrictions, but a lot of sites do that. I can’t imagine what they’re so worried of that they ban an email provider, unless they’re absolutely loaded with trackers in their emails.
I had/have to deal with this with my Mom — changing phone numbers is a huge pain and can’t always be done. I’m never changing my phone number at this point.