Hi,
I think there's been similar posts around EE's two-factor authentication (or the lack of it) until more recently. I'd like to share a story of my own making, whereby using the EE mobile number on the account as a the sole two-factor method has flaws and a lockout scenario which I'm probably not the only one to do.
First of all, having some form of 2FA option is good and supporting passkeys is a great step forward so progress! The use of SMS generally is known as a weaker 2FA option however and having this as the only option currently can be dangerous. The scenario I want to highlight is what if your EE mobile number being used as said 2FA option is unavailable e.g. the handset is broken, or you did what I did and get your SIM locked out requiring a PUK code. There is a self-service option for obtaining a PUK code through your EE account for your SIM, but this is only available through the My EE on the website, not the mobile app. Because of locking out EE number, I could not use this option as trying to login would require a one-time PIN sent to the number.... Which has the SIM locked. I did have the My EE app logged in and available, but the PUK option is not available in the mobile app.
For context I migrated to an eSIM which all went fine, I then wanted to re-enable the PIN I had set on my physical SIM. In my head the default SIM PIN is 0000 or 1234, it turns out it is 1111, but I used the three guesses thinking one of the first two was correct and I just keyed in one of the first two incorrectly. Nope, I was wrong which is entirely my fault of course. The issue was further compounded by the fact, I did this late at night after EE support was available, so I had my SIM locked for a good 11-12 hours. Of course, EE phone support were more than happy to help and got me sorted, but this does show the importance of offering multi-factor options, ideally supporting authenticator apps or password managers e.g. Microsoft Authenticator, Google Authenticator, Authy, 1Password and maybe others, where you have a TOTP stored to generate one-time passcodes at any time, regardless of an internet connection or even mobile data connection.
Please consider implementing additional 2FA options for My EE logins. SMS security has limitations generally, but you can also potentially get account holders locked out by binding this to the primary EE account mobile number as well!
