Don’t do it. Wendy Nather shows an example of the kinds of constraints that organizations have to work with, and why they may make decisions that you don’t understand from the outside.
Despite everything we know about the risk of SIM hijacking as a vector of compromise, there’s no way that we can reasonably tell organizations to stop using SMS authentications.
When CISOs do threat modeling, we come up with all sorts of attacks and more. Then we have to pick the controls that address as many of the risks as possible, and factor in all of the factors to allow authentication.
Every time you think you’ve figured out this risk management thing, something else happens to torpedo your hidden assumptions. We have to adapt to circumstances of technology use that we might not have foreseen in life and in security.
The blurred lines between personal IT and business IT have a couple of implications. One is that sometimes the only difference between work and home is the login name you use for that SaaS application. The other implication is that when you’re using the same software as a consumer and as a worker, you get used to the ease of consumer-grade experiences and you don’t want to give them up.