Assuming that they use a strong enough cookie (eg, containing a randomized unique key that's verified by the server) and all connections are made over SSL, it should basically be as resistant to remote attack as the person's cellphone (eg, SIM chip spoofing to get two cells on the network under the same call number).
I say that here, the weak points are the user and the cellphone; I think that the barriers to usage that the site sets up will most likely deter all but the most paranoid users from using it.
I'm suggesting that if for some reason a site thinks that that sort of security is necessary, they shouldn't change their mind for the sake of people using their telephones.
Particularly since at the current rate of development, the average phone will be able to do it just fine in a few months.
It's a curious set of things you've chosen to communicate to users about the security of mobile phones. For instance, it's important to your page to tell users that phones make it harder to "replace the operating system". That's true, but from the vantage point of security, operating system replacements are mostly a tool for attackers, not defenders.
Security researchers will also happily sell their tools to law enforcement and other agencies. Companies like cellebrite specialize on that.
In short, if you are being targeted (and, granted, the chance of that is pretty low), your data and communication is not secure.
It's an economical question, not a technological question. (the FBI paid $1.3m in one case to get access to a phone).
If they can hack your phone presumably they could just hack the thousand cloud services you use or the cloud they run on anyway. Seems a minor additional concern.
> most security threats these days seem to be external to the device you are using.
It depends. From the top of my head, the smartphone is the most common second factor, so an attacker that's on your smartphone may be able to log onto most services that have 2FA. Or alternatively, they can DoS your own attempts to log into these services by deleting SMS, or just sending the phone into a reboot loop. (Of course, "targeted DoS" is not in everyone's threat model. But still, I have more peace of mind using a dedicated TAN generator device instead of my phone.)
If you care that much about your privacy and security you shouldn't use a cell phone at all. Your ISP's and network will be the biggest offender of collecting and selling your data.
There are more ways to exploit a phone than a computer, and you can't control how it works. A computer you can pretty much completely control. Moreover, it is easier to surreptitiously own a phone. It's this false sense of security that's dangerous.
If you break the encryption you can intercept 2fa at the least. Any time encryption is broken security assumptions have to be re-evaluated. Your HTTPS session might be secure but that doesn't mean there aren't new holes somewhere else in the stack.
This post [1] from Kraken covers how to protect yourself from this kind of attack. It's quite thorough. Interesting even if this isn't a concern for you directly.
Your website is outsourcing security to any company which can service a cell phone account, which may be better than your website security or worse.
reply