Please do not think that a password is safe. Ever. Passwords are the easiest way to compromise an account. There's nothing simpler, because you, people, are the weakest link in EVERY cybersecurity practice.
93% of compromises start with phishing. If you respond to a strange email, click on a link, take a phone call from some entity claiming that you have a virus, they WILL take everything. I've seen advanced persistent threats (APTs) literally shut down food banks and not give a care in the world about people who they serve. I've seen APTs shut down a children's hospital and not blink once when implored to allow them to keep network connected vitals monitors online. It all started because someone wasn't careful.
This article is complete trash. It leaves out that the woman was using SMS (text messaging) for multifactor authentication (MFA). SMS and phone calls were deemed unsafe by NIST back in 2015. They're not allowed for any federal agency to use for MFA, and you shouldn't be trusting them either. If your bank uses text messaging, call or email them daily demanding them implement stronger authentication. Your phone can be taken over by anyone with SIM swapping, and it happens far more often than you think. Also, if you think that the underpaid grunts running a Verizon store wouldn't crumble like cheap suits when a bad actor offers them thousands of dollars to help compromise a phone, then you're living in ignorance. It happens more often than you think.
The strongest MFA available right now is FIDO2 leveraging a security key like a YubiKey device. It requires physical control of the device and a physical touch of the device to execute the security chip. A strong second is an authenticator app such as what Microsoft or Google provide. Push notifications are more secure than on-time-passcode (OTP) which is the rolling random number. Again, do not trust that SMS, phone, or email codes are secure. They aren't. All three methods can be compromised with ease.
Please do not dismiss MFA. You do so to your online safety detriment. Please, I implore you, take the steps necessary to guard your identities. It is easier than ever to compromise them.
I never use my phone for banking. I use my stationary computer at home. I have no added apps on my phone -—Samsung A51
I think and hope I am better protected using my boring computer instead of a smartphone for banking
In my experience, maybe 10% of sites have moved beyond SMS 2FA to Authenticator verification. Most companies are stuck in the past which is frustrating.
You also have biometric authentication, either fingerprint or facial which I use as often as possible on sites that support it. But again, few sites support biometric authentication even though it is nicely integrated into phone and computer OS’s.
Rarestia, that is an option of financial institutions that we can't turn off. Banks even ask you if you'd like your password reset sent via SMS or email. If you are the crook, you tell that website, “Sure, I would love getting my account reset via SMS!”
Feel free to do so. Your notes are performing a public service.