this post was submitted on 27 Sep 2023
171 points (94.8% liked)

Technology

34438 readers
191 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
[email protected]
171
Why Do Companies Not Use Existing 2FA Standards? (lemm.ee)
submitted 11 months ago* (last edited 11 months ago) by [email protected] to c/[email protected]
78 comments fedilink hide all child comments
 

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don't follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don't offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 11 months ago (2 children)

Support. Explaining what OTP is to my mother would be impossible. Getting her to download an app-even harder. Companies (like mine) have to develop for the lowest common denominator. Email, sms, voice call, snail mail. That’s all we have.

[–] [email protected] 18 points 11 months ago (1 children)

We sent a letter to your address. Please type in the six digit code, which will expire in 8 weeks. If you didn't receive it after 6 weeks you can opt to send another code.

[–] [email protected] 8 points 11 months ago

You joke, but I distinctly remember doing this about 10 years ago for a local auction website.

[–] [email protected] 1 points 11 months ago (1 children)

But, like, why not have SMS and TOTP support? TOTP is trivially easy to implement.

[–] [email protected] 1 points 11 months ago (1 children)

Again, support.

[–] [email protected] 1 points 11 months ago (1 children)

If the problem is that someone doesn’t know what TOTP is, then just hide the setup behind a link that says “Use TOTP instead of SMS”. Problem solved. Everyone who knows what it is can use it, and the people who don’t won’t click it.

[–] [email protected] 1 points 11 months ago (1 children)

If it’s hidden, then no one would use it and my development time is better spent on things that matter.

(I don’t actually disagree with you, I like TOTP personally)

[–] [email protected] 0 points 11 months ago (1 children)

I don’t mean actually hidden, I mean an option behind a link. Of course people would use it. I would, you would, and OP would. That’s 100% of the people in this conversation.

[–] [email protected] 1 points 11 months ago

As long as I can say “you’re on your own” to every one of those 100%