So I see EE have enabled the worst of 2FA security - SMS-based. This is at least a small step forward BUT two things:
1) how does it protect against SIM swap fraud if the only means of 2FA is no longer being sent to the legitimate user (ie. the victim of the SIM swap)?
2) why have customers not had notification/information that 2FA is an option and information as to how it works? I had to go looking for it. The phrasing of how it works seems to suggest it will only be triggered if EE think something is 'unusual'. Well forgive me for not having full confidence in letting EE be the decider of that.
Why not just enable it properly like every other site with moderate security does? What to log in? Username and password + 2FA code please. And please let us use a proper authenticator such as Google or Authy etc.
It's half a job done, but done poorly. I've not yet enabled it as I'm not convinced a bad implementation is better than no implementation...
