This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.
What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?
Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?
*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.
You must log in or register to comment.
Yeah, they just want your phone number.
It’s against our company policy to let users do 2FA over SMS. Only secure options are allowed.
Yeah, this is something many people seem to not understand.
SMS is not secure. The best option is something with FIDO2 or similar.
Simple answer. Our users complained about downloading an app to login to the app they just downloaded.
Users don’t care. They don’t want to download yet another app just to login. They want to use what they already have, like sms or email.
Then at least make it an option. Just because someone’s grandma doesn’t want to use TOTP or any other reasonable 2FA doesn’t mean nobody else does.
We do. Our users can configure sms email or totp.
Funny you mention grandmas. Our user base is highly educated and the majority fall in the 30-50 year old range.
Sadly that’s true. I’m in that range and most of my friends use the same password for almost everything. Also nobody does backups.
I’ve 14 items in Authy, and basically never used SMS as 2FA. Only to validate my identity on first signup. The only time SMS was used as 2FA for me was by the company I had an internship in programming in.
