This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.
What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?
Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?
*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.
As someone who has had to walk the “I don’t do computers” public through basic things over the phone, I can confirm that yes, a lot of people are way too lazy to learn anything new. They will instead call the support folks and blast some poor person just trying to deal with their day. Call center volume goes up anytime any barrier is added. Agreed though, SMS OTP is constantly becoming less effective. Email OTP is somewhat pointless.
Yeah, they just want your phone number.
It’s against our company policy to let users do 2FA over SMS. Only secure options are allowed.
Yeah, this is something many people seem to not understand.
SMS is not secure. The best option is something with FIDO2 or similar.
TOTP is fine. The point is that the OTP shouldn’t be sent to you. It should be generated on both sides independently.
Here’s one that annoyed me this week. Juniper - the enterprise router people - require you to have an account to do their training. That’s a web account that won’t let you use more than 20 chars in your password, and won’t let you paste a password.
Not 2fa, I’ll grant you, but it’s from the same bucket of dumb insecure shit that you’re talking about.
The fields where you can’t paste a password or any other types of data like credit card info absolutely kill me. It’s doing the exact opposite of adding any level of security and it’s just infuriating.
My favorite recently is my company has TOTP 2FA but you can’t paste the 6 digits. You have to type in one digit at a time, each being its own box. Paste fails in every browser I’ve tried. It’s just a shitty user interface.
A bunch of companies seem to be implementing that version (not being able to paste the 6 digits). It’s just asinine and makes me think less of any product / company using that style.
Passwords with such low char limits drive me nuts. I’ve been using passphrases because they can be more secure and easy to remember. I hate when there isn’t enough space in the field for my pw. Just… Why??
ThisismyJuniperpass!
Steam is using their own implementation that is also used for getting push notifications when selling an item on their kind of marketplace.
I don’t use that feature, so having a standard 2FA would be nice as I could back it up like all the others…
Not Invented Here syndrome.
Everyone must reinvent the wheel.
Because our requirements come from a different business unit that has no understanding of their task, only a checklist of features that need to be implemented. “2FA” is one of those things, and we’re tasked to take the easiest route possible.
Support. Explaining what OTP is to my mother would be impossible. Getting her to download an app-even harder. Companies (like mine) have to develop for the lowest common denominator. Email, sms, voice call, snail mail. That’s all we have.
We sent a letter to your address. Please type in the six digit code, which will expire in 8 weeks. If you didn’t receive it after 6 weeks you can opt to send another code.
So, the real reason is because they’re usually not implementing it themselves, and the service they’re using has an array of options, and they went for the most “user friendly” approaches.
Registering an authenticator or typing numbers is viewed as hard by a lot of people, so SMS or an push notification are viewed as the easy route.Could at least offer it, I don’t consider SMS secure, and push notifications require that you have a supported mobile device.
You’re not wrong, but it can be difficult to support more than the minimum without more buy-in from a financial perspective. Things beyond SMS tend to need an enrollment process that would impact the user sign-up flow.
You can create the user and store their phone number in one step, but totp sign-up usually needs something where you can create a provisional user, and then activate their MFA to activate the user.It’s why a lot of passkey stuff has a lot of potential, since it can make it easier for the user to sign-up, which has an appeal to people who are making decisions that have to consider sales and IT concerns.
I understand why people want 2FA, but I’m just not that worried about it and wish it was a choice. I am so fucking tired of pulling my phone out every single time I want to use certain applications on my computer. I don’t care if these accounts get hacked, frankly, I have no money invested in them, so let me just choose to be risky for convenience sake.