When PayPal started emailing customers this month that it was backing off unencrypted SMS for multifactor authentication (MFA) at login, it came with the typical approach-avoidance asterisk. The financial services giant signaled that it was turning the page on the much-maligned authentication method while simultaneously offering no timeline and assuring customers SMS wouldn’t entirely go away — a curious strategy that could help smooth over customer loss. SMS has a long history of opposition from security executives, mostly pointing to how easily it can be sniffed and subject to man-in-the-middle attacks, among others. As a result, Google has backed off SMS, as has Microsoft, Cisco, and even...