top | item 36982379

(no title)

Phurist | 2 years ago

Why would I want to buy a smartphone, just to log in to some service? Why would I want to install some crappy auth app on my computer (That most likely does not have a Flatpak for it even)?

Most places do not support Yubikey... so getting SMS on my Nokia 3310 is the best option for me.

SMS is the way to go.

discuss

vladvasiliu|2 years ago

You don't need a crappy app. Just write down the seed someplace and compute the TOTP yourself. It's not rocket science.

https://en.wikipedia.org/wiki/Time-based_one-time_password

edit: here's a cli tool for doing this: https://www.nongnu.org/oath-toolkit/oathtool.1.html

orangepurple|2 years ago

KeepassXC and KeepassDroid support TOTP tokens in the same record as your username and password for more convenience too

circularfoyers|2 years ago

Furthermore, Flatpaks do exist since, like you've stated, it is easy to implement https://flathub.org/apps/search?q=totp

friendly_wizard|2 years ago

This is a pretty good one

https://github.com/arcanericky/totp

loxdalen|2 years ago

It's the way to go for you since it is convenient for you? Doesn't really help against the security problems with SMS. Someone can for example socially engineer a phone company operator to steal your phone number.

ThePowerOfFuet|2 years ago

SMS is the way to go until your operator swaps the SIM on your line without your approval.

SMS is the way to go until you need to sign in from somewhere you don't have cellular coverage.

TOTP is superior in almost every way. Failing that, sending a login link (or code) to the user's email address is more secure than SMS.

pjmlp|2 years ago

Which feature phones usually used by aging population support TOTP?

Knee_Pain|2 years ago

SMS is not the way to go and you are conflating capabilities with poor engineering.

You cannot install a barebones TOTP app on your Nokia 3310 because it is closed source.

Most services don't offer third party TOTP because they are pressured into pushing their shitty proprietary apps.

But TOTP not only is more secure but it's completely offline. It's close to the best solution and totally exists right now

yomlica8|2 years ago

This is the problem though. SMS was pushed early on since it was great way to identify and track users in addition to being easy for most of them to use. It was never as good of a choice as TOTP, but it was easier to get users to use. But now there is of momentum behind SMS and sporadic support of things like TOTP.

Most of the new alternatives seem focused on pushing lock-in traps and are complicated for users to understand or use. If they're going to lose user tracking of the phone number they want something even worse to replace it, not something open like TOTP.

nottorp|2 years ago

Well I have a smartphone but I still don't want a shitty app for each service.

What's all this about SMS being insecure? I never heard of phone numbers being hijacked in my country (except in the case of physically stolen phones ofc). Is this another consequence of US making it so easy to steal an identity?