probably just shouldn't use cell networks for 2-factor I have concerns with how Duo does phone two-factor authentication and think we can all learn from the way Google does it. The issue: If a user has their password compromised it’s easy to convince them to authenticate a 2-factor request without doing anything that would set off a red flag. This is due to the specific way Duo does phone call authentication.