top | item 33245918

(no title)

itsrajju | 3 years ago

But what is stopping them from offering both? You can have the SMS 2FA as the default option, but also offer TOTP for the technically minded.

discuss

xienze|3 years ago

Generally the justification is "hey, we offer one form of 2FA, that's pretty good. This TOTP thing is for paranoid nerds." Bosses see it as extra work for ~no gain, what's the point? You can explain the technical superiority of the approach until you're blue in the face but they see it as just another way to do what's already implemented.

GoblinSlayer|3 years ago

The technically minded can simply use a strong password.

bvrmn|3 years ago

This! There is no additional security for aware users with MFA. Make MFA turned on by default, ok, but for god's sake if you provide only SMS-based 2FA, allow it to be disabled.