Not got much hope
My own buinding society proudly emailed me to bost of their new security measures. They're going to start to use SMS as a second factor. Nice to think they've been merrily developing a security architechture based upon a disredited model. SMS hasn't been good enough for years due to how easy it is to carry out SIM Swap fraud.
It's better than nothing I'll grant that. But they'll have known SMS is discredited but developed for it anyway because its the cheapest option. they're not alone either. I've had dealings with at least three large companies who will process large amounts of special category data. One didn't think there was anything wrong with having an unencrypted login to a system monitoring vulnerable adults, two others have special category (health) information and with single factor logins on public websites. They too are 'developing' an SMS based MFA. With reluctance. One is having ongoing arguments with us that health referrals don't contain personal information threfore it doesn't need to be secure (we've had enough of the nonsense and we've started speaking to the ICO about this one).
I'm getting very tired of just how fucking useless, niave, short sighted, two-faced, (have I said "fucking usless" already?) big businesses are. I'm loving the big fines the ICO handed out to BA and Marriot and I look forward to more. Then they might get it, might.