kill_dash_nineSep 27, 2023

Why Do Companies Not Use Existing 2FA Standards?

https://lemm.ee/post/9526374

Why Do Companies Not Use Existing 2FA Standards? - lemm.ee

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app. What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort? Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

Show thread8bitguySep 27, 2023
As someone who has had to walk the "I don't do computers" public through basic things over the phone, I can confirm that yes, a lot of people are way too lazy to learn anything new. They will instead call the support folks and blast some poor person just trying to deal with their day. Call center volume goes up anytime any barrier is added. Agreed though, SMS OTP is constantly becoming less effective. Email OTP is somewhat pointless.
Show threadCoggyMcFeeSep 27, 2023
Can you explain what you mean when you say email OTP is mostly pointless?
Show thread8bitguy
Email is commonly compromised. It's an easy target for bad actors executing a takeover.
Sep 27, 2023 at 12:48pmWeb
Show threadsugar_in_your_teaSep 27, 2023
SMS also isn’t that hard to compromise either. I can at least put email behind real 2FA, so they’d have to somehow intercept the email to break email 2FA. I can’t do that with SMS, I’m at the mercy of carriers, who obviously don’t care.