See articles like "Stop using your phone number for two-factor authentication" and read up on what Pegasus was doing. Giving your phone number away and associating a back-doored device with authentication is basically a bad idea. Also see ample media coverage about the pitfalls associated with lost devices -- a subject we'll mention in passing tomorrow.
As our associate notes, "that's the high-profile stuff requiring the attacker actually expend effort, but the topics covered in Rob's video are more relevant to your average person..."
"Part III," which we'll publish tomorrow, "could expound ever so briefly on why smartphones fail at 2FA," our associate notes.
Rob's "presentation style is a bit ranty but the substance is all accurate," our associate says. Since it's one topic we never quite covered (I am not entirely ignorant about it, but my explanation would be poor, unconvincing, terse) and since we're going to be writing more about "Smartphones" (Spyphones) in the future, it's never too late to catch up. Another under-reported and grossly neglected (barely covered) issue is ClownFlare's takeover or control of Web traffic.
For now, or today at least, we focus on the problem with 2FA over "smart" (spy) phones, just ahead of Part III of My Year as a Digital Vegan.
Andy himself has told me that "this is hard to explain. I think a key issue - as I've presented it to my cybersecurity classes ( and it's a Bruce Schneier thing) that an illusion of security (trustworthyness) of one factor can be an overall negative (real) security impact."
He has further used this analogy: "In reality they should operate as if in series/cascade however people treat the factors such they function as if in parallel, which as for an electrical circuit resistance, brings down the security." ⬆