This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

  • 8bitguy@kbin.social
    link
    fedilink
    arrow-up
    56
    arrow-down
    1
    ·
    1 year ago

    As someone who has had to walk the “I don’t do computers” public through basic things over the phone, I can confirm that yes, a lot of people are way too lazy to learn anything new. They will instead call the support folks and blast some poor person just trying to deal with their day. Call center volume goes up anytime any barrier is added. Agreed though, SMS OTP is constantly becoming less effective. Email OTP is somewhat pointless.

      • 8bitguy@kbin.social
        link
        fedilink
        arrow-up
        32
        arrow-down
        1
        ·
        1 year ago

        Email is commonly compromised. It’s an easy target for bad actors executing a takeover.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          SMS also isn’t that hard to compromise either. I can at least put email behind real 2FA, so they’d have to somehow intercept the email to break email 2FA. I can’t do that with SMS, I’m at the mercy of carriers, who obviously don’t care.

      • IphtashuFitz@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        The email protocol, SMTP, was originally not designed with encrypting content in mind. Encryption was added years later, but as an option that is negotiated between mail servers.

        While large email providers like Gmail, outlook, etc. likely all support encryption as best as they can, all it takes is one misconfigured server, etc. to cause emails to be sent in clear text at least part of the way from location to another.

        It’s largely for that reason why a lot of people & organizations don’t trust email to be secure unless you use mail clients that encrypt and decrypt mail at both ends. But that’s a PITA to set up properly and manage.

        If your email is sent entirely within an ecosystem like Gmail then it’s likely encrypted the entire time. But as soon as it passes outside of Gmail to another organization there’s no guarantee it’s still secure. These days it probably is, as virtually every reputable internet provider & company is going to take the issue seriously, but there’s still the history of SMTP not being encrypted that haunts those in the security fields.

        • Socsa@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          SMS has the same problem though. It’s only marginally safer because the tools to hijack a cellular session are a bit more complicated to use, but they are widely available and you can find plenty of instructions online on how to use maybe $3k worth of equipment to spoof a GSM base station and force a target device onto it. Hell, in some cases you don’t even have to force the target device onto your rogue ENB - you can just jam the phone and hijack the number through your own SIP gateway if you get the timing right.

      • russjr08@outpost.zeuslink.net
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        Because Two-Factor Authentication is generally supposed to be under the principle of “Something you have and something you know”, the password being the “know”, and using a TOTP on an app via your phone would be the “have” (the phone).

        I suppose if your email is restricted to the something you have/know it’s a bit better, and certainly better than nothing - but not by much.

        • Duroth@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Alternatively, if your e-mail provider does offer a more secure 2FA solution, then sending a temporary code to your e-mail address would be a valid 2FA method by proxy. So it’s not entirely a bad idea. (Although I’ve yet to see an e-mail provider that enforces 2-factor)

          • shortwavesurfer
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Protonmail. I dont have a backup email registered for recovery so if i loose my password and 2fa im totally fucked

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Same, which is why I use a password manager and periodically take encrypted backups. The average person isn’t going to do that, but I like having the option to use email 2FA instead of SMS, since I can make email 2FA pretty secure, but I can’t do that for SMS.

  • DigitalDilemma@lemmy.ml
    link
    fedilink
    arrow-up
    41
    ·
    edit-2
    1 year ago

    Here’s one that annoyed me this week. Juniper - the enterprise router people - require you to have an account to do their training. That’s a web account that won’t let you use more than 20 chars in your password, and won’t let you paste a password.

    Not 2fa, I’ll grant you, but it’s from the same bucket of dumb insecure shit that you’re talking about.

    • kill_dash_nine@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      31
      ·
      1 year ago

      The fields where you can’t paste a password or any other types of data like credit card info absolutely kill me. It’s doing the exact opposite of adding any level of security and it’s just infuriating.

      My favorite recently is my company has TOTP 2FA but you can’t paste the 6 digits. You have to type in one digit at a time, each being its own box. Paste fails in every browser I’ve tried. It’s just a shitty user interface.

      • jo3shmoo@sh.itjust.works
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        A bunch of companies seem to be implementing that version (not being able to paste the 6 digits). It’s just asinine and makes me think less of any product / company using that style.

      • DeltaTangoLima@reddrefuge.com
        link
        fedilink
        English
        arrow-up
        8
        ·
        edit-2
        1 year ago

        I hate all of these things so much. Like somehow my clipboard (which any halfway decent password manager either doesn’t use, or scrubs clean after use) is the weak link in the security chain.

        I’ll go one better to @[email protected]’s example: I once created an account on a “security” vendor’s website (quoted, because they acquired security products, rather than developing them) that limited passwords to 12 characters. They didn’t tell you - they just shortened it before (presumably) storing the hash.

        Fun and fucking games trying to logon each time, when your password manager has stored the random 16 char password you thought you were setting.

    • prole@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      Passwords with such low char limits drive me nuts. I’ve been using passphrases because they can be more secure and easy to remember. I hate when there isn’t enough space in the field for my pw. Just… Why??

  • library_napper@monyet.cc
    link
    fedilink
    arrow-up
    35
    ·
    1 year ago

    Yeah, they just want your phone number.

    It’s against our company policy to let users do 2FA over SMS. Only secure options are allowed.

  • OsrsNeedsF2P@lemmy.ml
    link
    fedilink
    arrow-up
    35
    arrow-down
    2
    ·
    1 year ago

    Because our requirements come from a different business unit that has no understanding of their task, only a checklist of features that need to be implemented. “2FA” is one of those things, and we’re tasked to take the easiest route possible.

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    27
    ·
    1 year ago

    Do you know how hard it is to implement TOTP? It took me two hours to implement it in my email service. You can’t expect these multimillion dollar corporations to pay an engineer for two whole hours of work to implement a tested and proven standard.

  • hightrix@lemmy.world
    link
    fedilink
    arrow-up
    24
    arrow-down
    1
    ·
    1 year ago

    Simple answer. Our users complained about downloading an app to login to the app they just downloaded.

    Users don’t care. They don’t want to download yet another app just to login. They want to use what they already have, like sms or email.

      • loutr@sh.itjust.works
        link
        fedilink
        arrow-up
        20
        ·
        1 year ago

        Most people simply don’t get the point. They don’t understand, let alone care about, digital privacy and security.

        Anecdotal evidence: I have a short Gmail address (think [email protected]), and a lot of smartasses use it to subscribe to everything, mostly as a throwaway but also on e-commerce sites, fintech bullshit with access to their bank accounts, …

        Once I got curious and reset the password, logged in and the moron had already filled in all his personal info, including his credit card. Another time I sent an SMS to the guy asking him to stop, he replied “it’s my address, my nephew set it up for me, I guess we just have the same one”.

        These guys would never take 10 minutes to set up a 2FA app.

        • Father_Redbeard@lemmy.ml
          link
          fedilink
          arrow-up
          7
          ·
          1 year ago

          Similar happened to me. I’ve had a Gmail since the beta days and a fairly common name. I get sensitive documents sent to me, random order confirmation, even a flight confirmation that I signed into to try to find his phone number so I could text him. I’ll admit I wanted so badly to cancel his flight. But I didn’t. Texted him and told him he needs to reset his pwd. Just so careless.

        • zwekihoyy@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          people are even dumber than I realized holy shit. I knew people weren’t willing to go far for security measures but this is actually much worse than I would have guessed.

          laziness, ignorance, or privilege? I’m unsure which of the three causes this. I find it hard to believe it’s ignorance because online scams and hacks are very well known and I’ve always hated “laziness” as a concept.

      • Greenbubbleb0y@sh.itjust.works
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Unless you get a fidelity account. Then you need one totp app for all your other accounts and symmantec VIP proprietary shit for fidelity. Text book example of how not to implement 2fa

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          You can actually import the Symantec key into your TOTP of choice, it just takes some extra effort. Or you can just buy a TOTP hardware key, which is what I ended up doing (throw it in the keychain and I’m set).

          • Greenbubbleb0y@sh.itjust.works
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            I did do this. Took me forever cause there were no directions for how to do it on windows. I figured it out eventually. I’m also kinda worried whoever created it could see my totp secret key.

            You can use hardware keys with fidelity? Like yubico?

      • AbsurdityAccelerator@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        And you should be using a password manager anyway, which can generate the token. Granted, it’s probably bad practice, since it defeats the two factor aspect.

        • 👁️👄👁️@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Perfect security gets in the way of improved security. The best practice is a middle ground of security and convience. At least it depends on the threat level anyways.

    • float@feddit.de
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Then at least make it an option. Just because someone’s grandma doesn’t want to use TOTP or any other reasonable 2FA doesn’t mean nobody else does.

      • hightrix@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        We do. Our users can configure sms email or totp.

        Funny you mention grandmas. Our user base is highly educated and the majority fall in the 30-50 year old range.

        • float@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Sadly that’s true. I’m in that range and most of my friends use the same password for almost everything. Also nobody does backups.

          • MystikIncarnate@lemmy.ca
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Damnit, trying to convince people to use a password manager at all is like pulling teeth…

            Stop setting every service you use to the same hunter2 password Frank! You get “hacked” because you can’t remember anything more complex, so use a fucking password manager already you Putz.

  • maporita@unilem.org
    link
    fedilink
    arrow-up
    17
    ·
    1 year ago

    I can’t answer your question but it’s particularly annoying for me because I travel a lot for work. Sending me an SMS message when I’m in the middle of Africa isn’t going to work. (In fact I found a way to make it work by enabling wifi calling with my US cell provider… but I shouldn’t have to jump through hoops to verify my identity)

    • kill_dash_nine@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I also used to run into this when flying for work I would have paid for wifi on a plane flight but my mobile device isn’t able to get their text or push notification because I only paid for my laptop to have wifi. Used to drive me crazy and then I just stopped working while on flights because of dumb policies.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      21
      ·
      1 year ago

      That’s why you use an Authenticator app that gives you TOTP offline.

      • kill_dash_nine@lemm.eeOP
        link
        fedilink
        English
        arrow-up
        15
        ·
        edit-2
        1 year ago

        If a service you use does not offer TOTP but implements their own 2FA through another method, you have no choice to use it though.

  • philluminati@lemmy.ml
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    1 year ago

    I think it’s because TOTP requires some sort of initial token sync that is more complicated than entering a telephone number. There’s also no need to have people backup codes etc. To use Authy for example I need to photograph a QR code and have a smart phone.

    Text message as a solution works on older non-smart phones so it’s possibly the “most widely accessible” solution.

    From a backend perspective as well it’s just an API text $random to $phone.

    • hperrin@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      TOTP is much easier to implement on the backend. No API required, just generate a few codes yourself and check if the user gave you one of them (multiple codes to provide a time window).

      • philluminati@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        You have to configure the users device at the start to give you your own codes back…

        • hperrin@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          That’s just a secret, like a password. If you can save their password, you can save their TOTP secret. For the user, they just scan a QR code with their app. They don’t even have to type the code in.

  • tsonfeir@lemm.ee
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    Support. Explaining what OTP is to my mother would be impossible. Getting her to download an app-even harder. Companies (like mine) have to develop for the lowest common denominator. Email, sms, voice call, snail mail. That’s all we have.

    • Rentlar@lemmy.ca
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      We sent a letter to your address. Please type in the six digit code, which will expire in 8 weeks. If you didn’t receive it after 6 weeks you can opt to send another code.

        • hperrin@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          If the problem is that someone doesn’t know what TOTP is, then just hide the setup behind a link that says “Use TOTP instead of SMS”. Problem solved. Everyone who knows what it is can use it, and the people who don’t won’t click it.

          • tsonfeir@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            If it’s hidden, then no one would use it and my development time is better spent on things that matter.

            (I don’t actually disagree with you, I like TOTP personally)

            • hperrin@lemmy.world
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              I don’t mean actually hidden, I mean an option behind a link. Of course people would use it. I would, you would, and OP would. That’s 100% of the people in this conversation.

              • tsonfeir@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                As long as I can say “you’re on your own” to every one of those 100%

  • lennier@kbin.social
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    Some companies main users that they want to protect are customers who consider security to be having one shared password written on the noticeboard in the office. Sadly, sms is just an easier sell to a lot of users, and even getting them to do that can be a nightmare.

    As for why proper TOTP isn’t supported as well… the cynic in me gives you the answer “the auditor required we implement 2fa, we have implemented sms 2fa, now go implement shiny feature x instead of wasting time” is probably a common corporate response.

  • ramble81@lemm.ee
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Mobile apps should be fairly obvious. It’s drives use of their application which is something they want. For most everything else, everyone* already has a phone and can do SMS, though it’s being proven to be more insecure.

    Both of those options meet their needs, the needs of the customer are secondary.

  • JokeDeity@lemm.ee
    link
    fedilink
    arrow-up
    13
    arrow-down
    4
    ·
    1 year ago

    I understand why people want 2FA, but I’m just not that worried about it and wish it was a choice. I am so fucking tired of pulling my phone out every single time I want to use certain applications on my computer. I don’t care if these accounts get hacked, frankly, I have no money invested in them, so let me just choose to be risky for convenience sake.

    • hedgehog@ttrpg.network
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      Steam’s 2FA is just a different TOTP algorithm, it’s just a pain to extract it. However, once you do, there are TOTP apps that support it - Bitwarden (with premium) and Yubikey Authenticator.

      Here’s a guide - note that as far as I can tell this site is not owned by Yubico but is just a random person who put up some Yubikey guides. However I did something similar over a couple years ago - pretty sure I used the same tool that’s recommended - and my Steam account hasn’t been hacked yet.

  • ricecake@sh.itjust.works
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    So, the real reason is because they’re usually not implementing it themselves, and the service they’re using has an array of options, and they went for the most “user friendly” approaches.
    Registering an authenticator or typing numbers is viewed as hard by a lot of people, so SMS or an push notification are viewed as the easy route.

    • setVeryLoud(true);@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Could at least offer it, I don’t consider SMS secure, and push notifications require that you have a supported mobile device.

      • ricecake@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        You’re not wrong, but it can be difficult to support more than the minimum without more buy-in from a financial perspective. Things beyond SMS tend to need an enrollment process that would impact the user sign-up flow.
        You can create the user and store their phone number in one step, but totp sign-up usually needs something where you can create a provisional user, and then activate their MFA to activate the user.

        It’s why a lot of passkey stuff has a lot of potential, since it can make it easier for the user to sign-up, which has an appeal to people who are making decisions that have to consider sales and IT concerns.

  • lustrum@sh.itjust.works
    link
    fedilink
    arrow-up
    7
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Mobile apps can suck a fart. I hate installing apps when the browser works perfectly fine.

    SMS is way less secure but it is convenient for the masses to get your grandma easily using 2FA without any apps or more complex setup. It also doesn’t require internet like an app would.

    I personally use Fido2/uauth > TOTP > Email > SMS.