Just had an email from PayPal saying they're rolling out SMS-based two-factor authentication (and so I must validate my phone number)… yet they've got the temerity to call it “strong customer authentication.” If it was really about safeguarding accounts, they wouldn't be using SMS at all – which has proven to be no obstacle to hijacking accounts in just about any system that's used it.
Precisely. It’s almost a joke at this point.