Probably. The article focuses more on the weak password reset procedures of institutions. It points out that in many cases a scammer only needs to obtain what has become readily available info to fill out a password reset form. From there a code is sent. The scammer then uses social engineering to get said code. The code could be sent via SMS, email, or generated from a TOTP app. That really doesn’t matter.Perhaps I am missing something, but if a scam target is willing to cough up an SMS 2FA code, wouldn't he or she be just as willing to cough up an authenticator code?It shows how important to use an authenticator - on the fildelity site if you’ve set up an authenticator code it asks for that instead of sending an sms 2fa
The point is you can have a strong password and good 2FA practices and still fall victim because of poor password reset or account recovery processes. We need to get to a world where authentication is easy to use but hard to share unknowingly. Passkeys, either hardware or software, are what we have near term to accomplish that. But, organizations still have to tackle the account recovery processes.
While that’s easy to say. There are real world issues to face in getting to this ideal though. Imagine a world where you’ve lost access to all of your authentication devices and your bank has an account reset process that involves identity verification requiring not only access to your email and answering questions but verification with a selfie and government ID.
So you’ve lost everything because of a fire let’s say. You need money to help establish yourself but you can’t access your accounts because you have no way to login or verify your identity.
The easy answer is offsite backups. Now imagine your average non-boglehead user maintaining that.
Statistics: Posted by PersonalFinanceJam — Wed Feb 11, 2026 2:47 pm — Replies 7 — Views 201