Why did smartphones become a single point of failure?

Nobody knows how to do a failure analysis. I used to work in r&d, now that I’m building websites and mobile apps the culture doesn’t care. Pointing out obvious design limitations will, more often that not, make me the asshole.

Not even trying to delay ship or get future rework scheduled, just having it documented is too much. Out of sight out of mind.

Your phone is leveraged so much because it provides companies with deeper tracking capabilities. Most laptops and PCs only geo locate based on their connection points, phones have accelerometers and more accurate location and ID info in them, so many app makers hobble browser-based app iterations to encourage mostly phone use. They also know users are engaged and focused on content more when they are on phones because browsing in multiple tabs is less possible than on desktop PCs. It's ridiculous that we are manipulated in this way, but fandom for certain devices and apps has created powerful companies that dictate how the Internet works, rather than a better world where companies work to provide value and function to consumers first. The customer is no longer right, whatever the company dictates is what is right now, unfortunately so for us.

This is a big problem for me as a traveller. If I travel long distance and I lose my phone, I lose access to both my personal and business bank.

I once dropped my phone in a lake (I'm clumsy) and was locked out of most things for a few weeks.

I prefer TOTP for most things. Keepass supports them across platforms, but Aegis has a better experience on mobiles.

I didn't have a cell phone until work issued me one around 2018 or so. (I never really liked the idea.) Generally, I don't have many single points of failure tied to the phone not tied to work...certainly nothing related to my banking.

You can still live in 2022 without one, although the assumption that you have one gets more annoyingly entrenched year-by-year.

I don't quite know what these single points of failure are, but they must tend not to exist when you have a "hard no--I have no such device" in your back pocket...you can choose services that don't require it, use hardware token 2FA, or something. Somehow, it does still work out to simply not have one, but it seems hard to avoid reliance on it once you've got it, since you don't see a service and think "well, I guess I just can't sign up for that one", but instead whip out the cell phone and comply.

Go through the whole list and figure out which of these services really requires your phone, and which you have set up on your phone because that seemed the easiest path.

Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)

>i can't log in to any of my banks without my phone.

Don't know about banks in Europe but in USA, I can log into Bank Of America and JP Morgan Chase without any phone authentication.

If I reformat my harddrive or buy a new computer and the bank doesn't recognize the web browser because no previous cookie has been found, the website will generate a one-time code and send it to my email address. I then enter that security code and the web browser is "recognized" without further issue. The smartphone was not needed in any step.

EDIT ADD: I did open my bank accounts before 2007 and thus before the smartphone era. Because of that, there may be a possibility that my logins are "grandfathered in" to not require any smartphone app authentication. It's possible that opening new accounts today with BofA/Chase require smartphones but somebody else would have to confirm/deny that.

Indeed it's incredibly stupid development. Fuck smartphones, really. I don't own one and I feel happy overall, but life is complicated because nowadays some sort of stupid app is required (most of the time, for no good reason) and dealing with those requirements always cost so much thinking.

I don't want a micro-computer in my pocket, I stay at the computer all day anyway, a better one.

Why can't I do with a real computer what it is possible to be done with a phone?

A smartphone is just a tracking device, and it is terrible for privacy - but great for advertisers and similar industries.

Otherwise, a computer should be able to do everything a smartphone does.

I don't have the same view, in my mind you have created a single point of failure for _yourself_. I use Authy for MFA, which comes with a desktop app. Phones dead / missing? No problem, I can get OTP's from my laptop.

What about text messages? Google voice. Which of course has a desktop interface. I've been doing this for years. It's nice not to have to rely on a watch, or phone entirely - although they do make my life easier.

Because using phone numbers to decide if human or bot is cheap, easy, and effective.

Politically, there is no will for a national identity verification type service as infrastructure. And this way, all the work gets outsourced to ATT/Verizon/T-Mobile, and politicians get to say “it is not our fault” and telecoms get to say “it is not our job”.

I hate it. They have been phasing out web for years in the EU.

Banks mostly but these days employers too. Getting a separate device, or multiple, seems like the least horrible options to me.

Turns out everyone wants a piece of my data I in the name of convenience. Only, it's their convenience, not mine.

Probably because I've heard the statement: "Everyone has a smartphone these days, so..." for the description of every app you describe. It makes some sense: single purpose devices for authentication tend to be set aside and misplaced. So it's the union of ubiquity and ease of use.

Someone , somewhere decided: your digital life is going to be tracked and recorded to 3rd party cloud. (We are increasingly getting to that point) To accomplish that you were given central device ( a smartphone ) on which you ought to do everything related to your digital life. So how to remedy this? Easy, just don't do that.

Because they're the thing in your life that you have the least control over. Businesses and governments can lower all kinds of costs by using your phone to manage you. If kings had the ability to distribute smartphones when feudalism was in full swing, feudalism never would have ended.

They watch you while you watch them, and there's nothing you can do about it. What I really wonder is whether we're 10 years away from police being dispatched if your phone is turned off (which, of course, would have started as opt-in, and ended as getting a ticket for letting your battery die), if we're 50 years away, or if there will be some sort of Butlerian Jihad before it happens.

edit: we can pretend this is just about authentication, but the reason smartphones work for authentication is because you have no control over them. If you root your phone, it becomes useless for authentication.

I always have a backup Android device setup as per my standard operating environment for this very reason. I'm actually due to setup another one as my previous backup went to my daughter for her birthday recently (but it still has my SOE hidden on it).

But also, I don't use my phone for banking because I still don't trust mobile ecosystems. I use a dedicated VM that requires a decryption password to boot up.

But yeah, banks are pushing for app usage rather than web interface, which is ironic given that my bank still only has SMS 2FA, not token-based. So why would I trust their app to be anywhere near secure in an insecure ecosystem if they can't even support proper multi-factor authentication that's been standard for, what, 5 years already?

I had a similar problem very recently with OVH. Though it's not related to smartphones.

I migrated my personal domain (nameserver and email) to a different IP address. After migrating the server, I wanted to change the glue record on OVH.ie. They detected some suspicious activity and prompted me to enter the code that was sent to my email, email on the domain that has unreachable namesevers because I couldn't log in to their dashboard. I had no 2FA enabled.

The interesting part about this is that I knew it might cause problems, so I also added a secondary email address to OVH, the one from our national academic research network. But OVH only sends codes to the primary mail! How useful ...

All my OTPs are in Bitwarden and FreeOTP.

The only thing I currently need my phone for is Google's new device login and even that goes to my tablet too.

it's crazy when museums don't give out paper maps and expect you to use your smartphone - https://twitter.com/austinkleon/status/1556466475354963968

there are old folks who aren't that tech-savvy, and smartphones + plans are not that cheap or free in the US, we still have some extreme poverty, penetration is not 100%, if you're going to make smartphone a requirement to participate in society there really need to be super-cheap smartphone options.

They're more reliable than any other affordable device capable of filling thr "Your whole life in a box, I've ever seen, at least subjectively.

Nearly no moving parts(The few remaining ones seem to be the #1 failure mode), a general purpose OS that's truly designed for what it does, etc.

On top of that, they have some built in safety features like the ability to remotely disable, wipe, and track them, plus, normal bank transactions can be reversed. I would much rather have a phone-linked account than go back to cash, and people used to carry that all the time.

Plus, for all the horror screen addiction causes, it does make losing your phone less likely, because you notice fast.

And on top of that, we used to (and still do) have MANY single points of failure ranging from debit card to notebook with meeting notes that could get you fired if you lose it to cash to house keys, any individual one of which could, if lost at the wrong time, cause a similar scale of damage to a lost phone, sometimes more.

Now, if you lose your credit card, you use your phone to disable it. If you lose your keys, you use your phone to uber. If you leave your wallet at home, you sign up for Kroger pay while standing in line, using the card number you stored in a notes file for exactly that kind of thing(true story).

It might slightly increase the risk of some pretty big disasters for some people, but for most of us, I think overall it removes a lot of common failure modes from life, so we accept the downsides.

Only banks do that. All other services accept TOTP (which you can have on multiple devices) or YubiKeys/webauthn/U2F (where you can add multiple hardware keys).

And even here, my bank accepts two (or more) devices with an active instance of their app. So the solution to this spof is the same as always: redundancy. You need a second phone. Your old one is probably good enough.

i can't log in to any of my banks without my phone.

Check with your bank. Most banks have another capability of verifying who you are on login. That usually consists of a random-number generator that is in lockstep with a similar one within the bank's system. The random-number supplied by your 'token' should be the same as the one generated by the bank that is associated with your account or login.

We have three of these. One for each of the banks we deal with.

https://pic.pimg.tw/abcwithyou/1348639177-1831387207.jpg

We don't use any of the bank smartphone apps. I dislike intensely trying to do broadsheet work on tiny phone screens. It's akin to trying to do 'keyhole surgery'. I much prefer my 3840x2160 view and at a non-microscopic scale on my computer screen.

I use Google Voice, and the number that I use for PINs I can login to with just a password. That way I can always access text messages even if my phone is gone. You need it when traveling and your shit gets jacked.

I haven't tried it but an Android emulator should allow you to use apps without a smartphone.

Ask your bank and other to give you a different way for authentication. You will get a other tool for that. There are serval hardware-authenticators and other tools out there and each bank or service offers this to you. Its yourself who create this single point of failure. I have a second (old) phone at home, ready for reactivation if needed. I am teaching my kids to not use the same Mailadress / mobile number for each service and to be sure to have a good backup for really important accounts (really important for my kid means: for Steam and other games). Try to find different way to get the authentication. They exist. The only disadvantage is: you have to ask and it isn't as simple as an mobile.

This has been my point for the last 5 or 10 years. That's why I have a "home phone" with banking apps, 2FA and important stuff installed. It has no SIM card and never leaves home. For everything else I have my "street phone".

I'm definitely not a fan of forcing anyone to use their (personal) phone for MFA for accessing company resources - I wouldn't really consider it a single point of failure though unless it was so poorly set up that there was literally no alternative log in method in the case of a lost/forgotten/broken phone. And if that happens it's the company's loss not mine - yes I enjoy my work and don't like letting my team members down but I can happily find other things to do if I can't access the systems I need to work (and they're going to pay me either way).

Next time you upgrade, keep the old phone. Have both phones set up so they can do mfa. If you are doing OTP, make sure to use an app that allows you to backup/export. AndOTP is very good if you're an Android guy.

I agree, mostly because of the lack of self-managed MFA mobility.

The ideal situation is for a site using 2FA to allow me to choose the 2FA application: Google Authenticator, Authy, OneAuth(I think), etc.

Tools like Okta Verify, RSA, Symantec, or SMS based 2FA make the phone a true SPOF. You can't have backup codes, you can't migrate installations. In other words, I hate forcing my phone to be an irreplaceable hard token lest I drop it in the river and have to do a bunch of resets.

> i can't log in to any of my banks without my phone.

What country is this? Are you sure they're not just heavily pushing for the use of the apps while still having an alternative? What happens if when you open an account you tell them that you have neither an Android nor Apple phone? There's probably still plenty of options for such phones, and it's hard to think they'd refuse to open an account unless you buy a phone of their choice.

Not true at all. If they are able to log into your e-mail, then things will start to fall apart. But just getting your phone will not allow anyone to break into your MFA secured accounts. Your phone is something you own, but they still need something you know (i.e. your password). I feel like you might get a more nuanced perspective by looking into security related topics, specifically around authentication.

So let's say you change phone numbers and FORGET to change one of the important websites that use that number for authentication?

Or you change phones, wiping the old one before selling it to your friend and setting up the new one from scratch?

Some websites are terrible/impossible at letting you recover your account when you've lost access to the phone number or the exact instance of the phone used for authentication.

That's why I have three phones fully set up (two would be sufficient, but I just happen to have an iPhone and two OPs).

Technically you can also set up an additional Authenticator on your computer. But my bank authorization are either app based or phone number dependent - so one main phone featuring both and additional phone having the app set up.

I don't like it either.

Are you saying all of these systems enforce SMS-based 2FA rather than the sane choice of TOTP? That's unwise and unfortunate.

I have a virtual phone number to receive SMS from all my banks and other services. Funny thing, their phone app doesn't work reliably, but their Windows app does. So I use desktop to log into all my accounts. If I lose both phone and notebook, it's easy to recover, I only need virtual phone username and password.

By chance I saw this:

    https://support.google.com/fi/answer/6330195?hl=en

It allows the data to be used on a second device, on the same SIM/number. Not SMS though, so this is going to be a limited solution. I also don't know how this works across the globe.

It is not a smartphone, it is your phone number most of the time. It is binded to the SIM-card. You may switch the card to another smartphone if yours is broken, or order a replacement SIM-card of you lost it. The latter is done by your cell provider with your identity confirmation.

I haven't lost my phone yet, but it's only a matter of time before I get unlucky enough.

I'm prepared for it by using ProtonMail for my main email with (strong, memorized) password only, no 2FA and Starling for my bank, which allows you to log in with password + video of yourself.

But that’s kinda convinient [1]. The problem is, that there’s no real proper fallback/backup-plan.

[1] not only it’s convinient, it’s also similar to what all the future predictions regarding technology said. Some small gadget or bracelet connecting over air and doing stuff.

> i can't log in to any of my banks without my phone

Glad it's not only my problem. Force banks to support TOTP. They will not do it voluntarily, they have too many "experts" selling dedicated app to the managements because "securitay".

Others have brought up 2FA. I've been looking for a simple (RSA SecurID FOB style) display device that only provides OTP codes. Does such a thing exist? I'm not even above buying a dozen of those old FOBs if it gets the job done

This is why I love (WebAuthn) security keys: it's completely separate from your phone (and easy to register a second/third key as backup for in a safe location) so you eliminate this whole class of issues.

I have a few yubikeys.

I have a folder with recovery codes.

I have a fully encrypted phone.

I can afford a cheap backup phone.

I never felt as secure as I do currently.

Partially thanks to Google and the effort they put in 2fa.

I'm happy to have that than needing to drive to my bank for a paper printout.

Because it is indeed the thing every one carries almost all the time. Can you do these things without your passport/ID/driving license before smartphone appears?

Your choice of banks.

I still have my bank's physical code-slip and can sign in using it just fine.

My fiance's bank provided her with a small, calculator-looking battery-powered code device.

It’s a trade-off. It’s very convenient for me to pay with ApplePay. But there’s a risk I won’t be able to pay for groceries if my iPhone is out of juice.

It's a temporary phase, next generation phones will be surgically implanted under the skin so no fear of ever losing them.

How do I backup all my 2fa that I have on my phone? I would like to have a backup at home in case of the phone being stolen.

Doesn't 2FA include emails?

I always get my OTP verification codes (banking, corp login etc.) both on mobile and at my email id.

I have two smartphones for 2FA, one never leaves the house. But it would still losing one while traveling.

It’s a physical device with access control that is unique to a single human, three nines

What country are you in? I’ve lived in a few, and I don’t have any services that require my phone. Many have two-factor auth, but I just save the keys in my password manager which I can access from any of my devices.

if only that was a way to prove who you are through some kind of system

oh I don’t know like private/ public key infrastructure that works well in crypto

solutions are clear

Then change the bank you deal with. At least in EU, this 2FA was due to PSD.

Please also note that any changes will impact some people. How often do you lose your smartphone? If every month then it is sad. You need to find a bank that still uses cheques etc.

No point in whinging. If something works for 90 % people then get used to it.

For example, I did not like joining facebook for my children's school nor whatsapp groups but did it as most of them did it.

Why did gasoline become a single point of failure in automobiles? Why did the strings on my guitar become a single point of failure?

Creating redundancy for every dependency is not always practical or economical.