This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.
I really agree with it, but that’s probably their rationale.
Banks didn't support TOTP long before we were able to easily sync them across devices. It's likely more along the lines of banks generally have bad IT departments and outdated digital security policies.
That same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.
I do the same, and it somewhat defeats the spirit of 2FA, but I still believe it's more secure. It's basically a second password where intercepting it in transit once isn't enough to be able to repeat the login in the future.
My bank sends me 2FA codes in their app, which I then have to type into... their app. No kidding. Both the key and the validation in the same place, really ridiculous. Even something as crap as SMS 2FA would be better. TOTP or FIDO2 would be miles better.
Sargos|9 months ago
lxgr|9 months ago
SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.
throitallaway|9 months ago
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
_bin_|9 months ago
I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.
Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.
You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.
connicpu|9 months ago
unethical_ban|9 months ago
Yes, a digital OTP generator is more susceptible in theory to theft or duplication than a hardware token.
Yes, the benefits of digital OTP are great compared to password only, more secure than SMS, and trivial to implement.
unknown|9 months ago
[deleted]
pabs3|9 months ago
https://en.wikipedia.org/wiki/Digipass
wkat4242|9 months ago