Why Do Companies Not Use Existing 2FA Standards? - eviltoast

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

  • ricecake@sh.itjust.works
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    So, the real reason is because they’re usually not implementing it themselves, and the service they’re using has an array of options, and they went for the most “user friendly” approaches.
    Registering an authenticator or typing numbers is viewed as hard by a lot of people, so SMS or an push notification are viewed as the easy route.

    • setVeryLoud(true);@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Could at least offer it, I don’t consider SMS secure, and push notifications require that you have a supported mobile device.

      • ricecake@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        You’re not wrong, but it can be difficult to support more than the minimum without more buy-in from a financial perspective. Things beyond SMS tend to need an enrollment process that would impact the user sign-up flow.
        You can create the user and store their phone number in one step, but totp sign-up usually needs something where you can create a provisional user, and then activate their MFA to activate the user.

        It’s why a lot of passkey stuff has a lot of potential, since it can make it easier for the user to sign-up, which has an appeal to people who are making decisions that have to consider sales and IT concerns.