Re: SIMS
perhaps it’s time to look at tying a SIM to a particular device
That would defeat the whole point of having SIMs.
A mobile number is temporarily assigned to a SIM, not a physical handset. That way, when I upgrade my handset, I can pop the SIM out of the old phone and into the new phone and the number follows the SIM to the new phone. A SIM is designed for portability between handsets. And if a SIM gets damaged or lost (say I drop your handset over the side of a boat while fishing), the number can be assigned to a new SIM, that can be placed in a new (or old/existing) handset, so I can keep my number
There is no problem with the SIM paradigm. The problem is with the paradigm of assuming a phone number, an entirely virtual construct, is a valid factor in a MFA system. It is not. It never has been.
The traditional security factors are:
1) What you know (e.g. password, PIN)
2) What you have (something in your physical possession, e.g. keycard, token generator, ID pass, badge)
3) What you are (biometrics - DNA, fingerprint, iris, face recognition)
Companies have been using phone numbers as a "What you have" factor. But a phone number is not a physical thing in your possession. A phone number is something that is virtually assigned to a SIM, and can be changed arbitrarily, remotely, without your knowledge or input. It is not an appropriate "What you have" factor. It never has been. It was a half-arsed, public-relations attempt at a 2nd factor. It is the TSA (security theatre, not actual security) of the multi-factor authentication world.