Why Do Companies Not Use Existing 2FA Standards? - eviltoast

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

    • loutr@sh.itjust.works
      link
      fedilink
      arrow-up
      20
      ·
      1 year ago

      Most people simply don’t get the point. They don’t understand, let alone care about, digital privacy and security.

      Anecdotal evidence: I have a short Gmail address (think billg@gmail.com), and a lot of smartasses use it to subscribe to everything, mostly as a throwaway but also on e-commerce sites, fintech bullshit with access to their bank accounts, …

      Once I got curious and reset the password, logged in and the moron had already filled in all his personal info, including his credit card. Another time I sent an SMS to the guy asking him to stop, he replied “it’s my address, my nephew set it up for me, I guess we just have the same one”.

      These guys would never take 10 minutes to set up a 2FA app.

      • Father_Redbeard@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Similar happened to me. I’ve had a Gmail since the beta days and a fairly common name. I get sensitive documents sent to me, random order confirmation, even a flight confirmation that I signed into to try to find his phone number so I could text him. I’ll admit I wanted so badly to cancel his flight. But I didn’t. Texted him and told him he needs to reset his pwd. Just so careless.

      • zwekihoyy@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        people are even dumber than I realized holy shit. I knew people weren’t willing to go far for security measures but this is actually much worse than I would have guessed.

        laziness, ignorance, or privilege? I’m unsure which of the three causes this. I find it hard to believe it’s ignorance because online scams and hacks are very well known and I’ve always hated “laziness” as a concept.

    • Greenbubbleb0y@sh.itjust.works
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      Unless you get a fidelity account. Then you need one totp app for all your other accounts and symmantec VIP proprietary shit for fidelity. Text book example of how not to implement 2fa

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        You can actually import the Symantec key into your TOTP of choice, it just takes some extra effort. Or you can just buy a TOTP hardware key, which is what I ended up doing (throw it in the keychain and I’m set).

        • Greenbubbleb0y@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I did do this. Took me forever cause there were no directions for how to do it on windows. I figured it out eventually. I’m also kinda worried whoever created it could see my totp secret key.

          You can use hardware keys with fidelity? Like yubico?

    • AbsurdityAccelerator@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      And you should be using a password manager anyway, which can generate the token. Granted, it’s probably bad practice, since it defeats the two factor aspect.

      • 👁️👄👁️@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Perfect security gets in the way of improved security. The best practice is a middle ground of security and convience. At least it depends on the threat level anyways.