171

Why Do Companies Not Use Existing 2FA Standards? (lemm.ee)

submitted 11 months ago* (last edited 11 months ago) by kill_dash_nine@lemm.ee to c/technology@lemmy.ml

79 comments fedilink hide all child comments

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don't follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don't offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

you are viewing a single comment's thread
view the rest of the comments

[-] hightrix@lemmy.world 23 points 11 months ago

Simple answer. Our users complained about downloading an app to login to the app they just downloaded.

Users don’t care. They don’t want to download yet another app just to login. They want to use what they already have, like sms or email.

[-] zwekihoyy@lemmy.ml 10 points 11 months ago

you only need one totp app.... people baffle me.

[-] Greenbubbleb0y@sh.itjust.works 7 points 11 months ago

Unless you get a fidelity account. Then you need one totp app for all your other accounts and symmantec VIP proprietary shit for fidelity. Text book example of how not to implement 2fa

[-] sugar_in_your_tea@sh.itjust.works 2 points 11 months ago

You can actually import the Symantec key into your TOTP of choice, it just takes some extra effort. Or you can just buy a TOTP hardware key, which is what I ended up doing (throw it in the keychain and I'm set).

[-] Greenbubbleb0y@sh.itjust.works 3 points 11 months ago

I did do this. Took me forever cause there were no directions for how to do it on windows. I figured it out eventually. I'm also kinda worried whoever created it could see my totp secret key.

You can use hardware keys with fidelity? Like yubico?

[-] sugar_in_your_tea@sh.itjust.works 2 points 11 months ago* (last edited 11 months ago)

No, there's a Symentec OTP fob that just generates tokens when you push a button. So something like this (I bought this one).

You'll need to replace it when the battery dies, but I like that it's not tied to my phone like the Symantec app is.

[-] Greenbubbleb0y@sh.itjust.works 3 points 11 months ago

Oh. No thank you. I'm trying to stay away from symmantec.

load more comments (8 replies)

load more comments (12 replies)

this post was submitted on 27 Sep 2023

171 points (94.8% liked)

Technology

34438 readers

180 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago

MODERATORS

MinutePhrase@lemmy.ml