> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone
There's a simple way to tell if 2FA is being used for security or to harvest phone numbers: Does the site let you use an email instead of a phone number? If you can't use an email, the purpose is to harvest phone numbers.
TOTP is so good, it should be treated equally to or superior than phone number or e-mail as a requirement, by regulation, as an option for any site conducting business in US Dollars. E-mail is terrible for secure authentication. Banks have had plenty of time to implement this and haven't. TOTP can eliminate the password altogether, and make login usernames long-lived long TOTP or HOTP codes and I have just solved the terrible passkey problem!
Email is pretty reasonable for secure authentication. All but the most anachronistic mail servers use TLS these days and you're under no obligation to use any of the few that don't. The notion that email is insecure is from the old days when the links weren't encrypted.
SMS, on the other hand, is an abomination to this very day and should not be used by anyone for anything.
> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone
Amongst other things.