top | item 44727956

(no title)

seplox | 7 months ago

> When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff.

I hate all of the half-cooked non-TOTP MFA methods that I'm forced to use. Just let me use my freaking authenticator app. If you believe that your users prefer (or maybe it's just you?) more databroker-friendly methods, then fine, but please at least provide TOTP as an option.

discuss

cosmic_cheese|7 months ago

I wish that banks would offer TOTP. SMS is famously insecure and poorly suited for something that’s a load-bearing pillar in most of our lives, and TOTP is probably the most reasonable replacement. Unfortunately only a tiny handful of US banks offer non-SMS 2FA of any kind, and to my knowledge the one that does (Scwhab I think?) requires the use of a hardware gadget even though it’s standard TOTP (which people have written python scripts to extract the necessary bits of info from).

hinkley|7 months ago

To this day I'm just amazed that World of Warcraft tried to mandate security tokens in a time when E*Trade barely supported them.

Why is a video game embarrassing fintech?

toomuchtodo|7 months ago

Fidelity offers TOTP standard support, works with the native Apple Password app/keychain.

tn1|7 months ago

Schwab supports Symantec VIP but there's a python package to emulate it, which will give you a regular TOTP setup code.

riedel|7 months ago

At least in Germany all the SMS 2FA has been shut off, but replaced with tons of custom 2FA apps. The security argument is certainly that they can check for 'insecure' devices. But I wonder what the empirical evidence here is and how often (compared to phishing/social engineering) a TOTP token was actually stolen. Worst thing is IMHO Microsoft now which seem to have also shut off the TOTP option and use some other propriatary 2FA scheme now. IMHO banks should simply use FIDO2 HW tokens, but with all that passkey bullshit it becomes unlikely...

GoblinSlayer|7 months ago

A failure scenario I found is when mitm antivirus decrypts traffic (or something similar), so a proprietary 2fa scheme doesn't work, because it can't get through network.

7bit|7 months ago

No it hasn't. How can you make a statement so confident, when obviously you couldn't objectively know?

arccy|7 months ago

totp is still terrible, still phishable, more annoying to enter or use. it's only tolerable because it's better than the other methods you might see (email, sms, custom app), but imo it also falls into the half baked category behind things like passkeys.

EatFlamingDeath|7 months ago

Yes, for the love of god and all that is holy, just let me use TOTP for MFA. I absolutely HATE that some banks use SMS as a method of MFA. Sometimes it's a mix of 8 character numeric password with SMS as MFA.

esseph|7 months ago

A passkey is far better than TOTP for security to the point that TOTP should probably be deprecated already.

7bit|7 months ago

Passkeys don't replace all use-cases for TOTP

lanfeust6|7 months ago

TOTP still seems good enough for most things