This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

  • @hperrin
    link
    English
    11 year ago

    If the problem is that someone doesn’t know what TOTP is, then just hide the setup behind a link that says “Use TOTP instead of SMS”. Problem solved. Everyone who knows what it is can use it, and the people who don’t won’t click it.

    • @[email protected]
      link
      fedilink
      English
      11 year ago

      If it’s hidden, then no one would use it and my development time is better spent on things that matter.

      (I don’t actually disagree with you, I like TOTP personally)

      • @hperrin
        link
        01 year ago

        I don’t mean actually hidden, I mean an option behind a link. Of course people would use it. I would, you would, and OP would. That’s 100% of the people in this conversation.