That may be so, but the alternative approach something like Google/KeePass/whatever Authenticator which has the issue of not being bound to your number (unlike SMSs) so if your phone gets destroyed you can't simply get a new phone and sim from the operator and continue as usual, you're completely fucked instead.
Depending on the authenticator used, you are absolutely not fucked. It even works while waiting for your new phone / sim (had this happened to me on a Saturday night in France. Nothing's open Sundays).
There's Authy that does backups and you can even run it on a computer (even Linux!). 1Password can store OTPs, too, and is also backed up. There are probably a bunch of others and I'd expect KeePass to be able to do backups.
Plus, you're usually able to get the OTP seed which you can store on your own. This usually shows up as "can't scan this code?" or similar when registering.
I'm now traveling overseas, and have a local SIM in my phone. I have an older iPhone, so no dual-SIM for me. If I had to receive an SMS I guess it would still be better than my older Galaxy S5 which required a reboot, but it'd still be a pain to have to switch SIMs.
If I lost my Phone but still had my laptop, I'd be AOK with my current OTP setup. Except for a few sites which don't allow me to have anything else besides an SMS, but luckily they're not critical.
Well some do it properly I suppose, but on the other hand Google Auth has 100M users and no ways to back up. All of those people are royally screwed if anything happens.
I have been one of those people. There must have been a lot of them because “export” is now an option which dumps all or selected keys and a giant non standard? QR code that can be imported into another instance. Mine are now on two devices.
not true. that QR code you scanned to add the key to your app? well, that was your key. you could have saved it somewhere else secure that does allow exporting.
They're worse than that. I had pattern lock on my phone and it stopped working one day. After a factory reset all authenticator apps lose your credentials.
You are only in trouble if you didn't keep a copy of your private keys backed up.
Unfortunately many of these apps treat the private keys like the app owns it which is where people run into trouble. Some will even back up to the app provider's cloud service which is just asking for it to be stolen.
On Android, if you use AndOTP, the app allows you to easily back up all your OTP secrets to an exportable file, with optional password encryption. Trivial to then import into another phone.
