this post was submitted on 27 Sep 2023
164 points (94.6% liked)

Technology

35126 readers
121 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don't follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don't offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (3 children)

Can you explain what you mean when you say email OTP is somewhat pointless?

[–] [email protected] 31 points 1 year ago (1 children)

Email is commonly compromised. It's an easy target for bad actors executing a takeover.

[–] sugar_in_your_tea 5 points 1 year ago

SMS also isn't that hard to compromise either. I can at least put email behind real 2FA, so they'd have to somehow intercept the email to break email 2FA. I can't do that with SMS, I'm at the mercy of carriers, who obviously don't care.

[–] [email protected] 12 points 1 year ago (1 children)

The email protocol, SMTP, was originally not designed with encrypting content in mind. Encryption was added years later, but as an option that is negotiated between mail servers.

While large email providers like Gmail, outlook, etc. likely all support encryption as best as they can, all it takes is one misconfigured server, etc. to cause emails to be sent in clear text at least part of the way from location to another.

It’s largely for that reason why a lot of people & organizations don’t trust email to be secure unless you use mail clients that encrypt and decrypt mail at both ends. But that’s a PITA to set up properly and manage.

If your email is sent entirely within an ecosystem like Gmail then it’s likely encrypted the entire time. But as soon as it passes outside of Gmail to another organization there’s no guarantee it’s still secure. These days it probably is, as virtually every reputable internet provider & company is going to take the issue seriously, but there’s still the history of SMTP not being encrypted that haunts those in the security fields.

[–] Socsa 2 points 1 year ago

SMS has the same problem though. It's only marginally safer because the tools to hijack a cellular session are a bit more complicated to use, but they are widely available and you can find plenty of instructions online on how to use maybe $3k worth of equipment to spoof a GSM base station and force a target device onto it. Hell, in some cases you don't even have to force the target device onto your rogue ENB - you can just jam the phone and hijack the number through your own SIP gateway if you get the timing right.

[–] [email protected] 8 points 1 year ago (1 children)

Because Two-Factor Authentication is generally supposed to be under the principle of "Something you have and something you know", the password being the "know", and using a TOTP on an app via your phone would be the "have" (the phone).

I suppose if your email is restricted to the something you have/know it's a bit better, and certainly better than nothing - but not by much.

[–] [email protected] 2 points 1 year ago (1 children)

Alternatively, if your e-mail provider does offer a more secure 2FA solution, then sending a temporary code to your e-mail address would be a valid 2FA method by proxy. So it's not entirely a bad idea. (Although I've yet to see an e-mail provider that enforces 2-factor)

[–] [email protected] 4 points 1 year ago (1 children)

Protonmail. I dont have a backup email registered for recovery so if i loose my password and 2fa im totally fucked

[–] sugar_in_your_tea 2 points 1 year ago

Same, which is why I use a password manager and periodically take encrypted backups. The average person isn't going to do that, but I like having the option to use email 2FA instead of SMS, since I can make email 2FA pretty secure, but I can't do that for SMS.