Accounts that send a 2fa code to your email rather than using the 2fa code generator you've already setup for that account - eviltoast

Recent examples Twitch and Firefox 🤦

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 month ago

      My guess is that it’s the easiest and cheapest way to set up “MFA”.

      The number of banks that don’t have proper MFA really bugs me.

      • Saik0@lemmy.saik0.com
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        1 month ago

        My guess is that it’s the easiest and cheapest way to set up “MFA”.

        TOTP is cheaper.

        SMS is actually expensive at scale. An example would be Signal, the messenger app that doesn’t use SMS. They have overhead for sending backup codes/new account creation/Verification/etc… https://www.wired.com/story/signal-operating-costs/ 6 million a year. API integrations for SMS messages/codes are still like 1-5 cents per message.

        TOTP’s requirements? A reasonably accurate clock on the server, and storing the shared secret in a database.