WingNews logo WingNews
top | item 33435915

(no title)

mpalczewski | 3 years ago

Techies can best influence by understanding why sms otp is popular and come up with something better.

Not only do you need to understand what shortcoming sms has, but non cynically understand why other solutions are worse.

discuss

order

hn_throwaway_99|3 years ago

Can't upvote this enough. People who say "we should all just use WebAuthn" need to understand:

1. Theoretically, they're right

2. Realistically, it feels like they've never interacted with the non-tech public, and all the issues and problems that need to be worked around with hardware keys.

There is a good reason companies are trying to move us to a "passwordless" future, but there is also a good reason they are going very slowly - they know there is no silver bullet.

weberer|3 years ago

The best solution I've seen is third-party bank authenticators. Its only popular in Finland (and I think Norway) due to some sort of mandates. It solves the biggest problem of using SMS for this: RECOVERY. If you lose your phone or number, you can stop in to your local bank with your passport and have it reset. They'll actually scan your passport so social engineering attacks won't work.

https://www.nordea.fi/en/business/our-services/mobile-online...

barkerja|3 years ago

I kind of feel like this is being done already with Webauthn and Passkeys. Another couple years of user's upgrading/updating devices, and the option to use a passkey may be as ubiquitous as using SMS for MFA.

ghaff|3 years ago

It will take a while but I'm hopeful that Passkeys--some variant of which has been being discussed for well over a decade--will finally get mainstream adoption. I'm not convinced tokens ever will at least outside of particularly high value accounts.

deltarholamda|3 years ago

>understanding why sms otp is popular

Exactly this. I bet you'd have less than a 25% success rate of getting the average user to even know that SMS and "texting" are the same thing. Now try to get them to understand what "OTP" is.

Having to register a phone number with a service is bad enough. Forgetting what weirdo password you were forced to come up with--"a capital letter, a special character (but not % or *), and a smiley-face Unicode character"--is bad enough. But for those people who just get a new phone and phone number for whatever reason, now you have to get that changed as well.

The big problems with SMS is 1) it is insecure, and 2) it does not have any sort of guaranteed delivery mechanism. These are problems that are readily solvable with a combined technical/governmental solution. Develop a standard, say "all mobile companies must adhere to this in 12 months," and then use that. Even if it isn't perfect, i.e. somebody finds a small flaw in the implementation, it's better than it is now.