Why don't more websites/services offer 2FA? (lemdro.id)

submitted 1 month ago by [email protected] to c/[email protected]

27 comments fedilink hide all child comments

I've been going through updating all of my accounts (passwords, 2FA, etc.), and I've noticed that there are a lot of sites that don't offer any form of MFA.

I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?

top 27 comments

sorted by: hot top controversial new old

[-] [email protected] 23 points 1 month ago* (last edited 1 month ago)

its not even about bandwidth.. its about cost to implement over the risk to not implement.

the big big buys have implemented as they helped define the mfa processes we all use. the new, smaller players have implemented because there are easy to implement libraries/services all over (for example, my tiny fediverse instance offers mfa)

the middle tier just havent gotten around to it, or do not see a direct benefit to doing so.

[-] [email protected] 13 points 1 month ago

It's also a pain in the ass for the user. Creating a barrier to entry decreases the likelihood that your customers will use the service. I don't want to go find my phone to receive a text every time I want to log in to every single website.

[-] [email protected] 7 points 1 month ago

It's not like it has to be required.

[-] [email protected] 6 points 1 month ago

Pain in the ass, not really.

Text based MFA is the least secure option, and shouldn't be used. Apps or a dedicated hardware token are the options you want, and those are pretty easy to setup.

That also doesn't even take into account that mobile makes up more than 50% of global web traffic now. So "going to find your phone", you are in the minority. The majority of people are already using their phone when they are logging into something.

A dedicated authenticator app like Authy is easy to set up. And now the most common password managers also allow generating those MFA app codes directly to login with them alongside your regular username and password. Apple's Keychain, LastPass, and Bitwarden all support it, just to name a few.

And we have Passkeys being implemented as an alternative to the Password/2FA system, with native support for that via things like iOS and Bitwarden, and I'm sure others as well.

[-] [email protected] 4 points 1 month ago

You're ignoring the part about having to go find your phone. MFA apps still require you to do that.

[-] [email protected] 3 points 1 month ago

My second paragraph literally points out that the majority of Internet traffic now is mobile, around 58%. More likely than not, any given person is already on their phone. No need to find your phone when it's in your hand and you're already looking at it.

[-] [email protected] 2 points 1 month ago

That's still a 40 percent possible user loss.

[-] [email protected] 2 points 1 month ago

Possibly, but the real world is likely nowhere near that. I'd be willing to bet most people in general don't leave their phone lying around their house randomly while they're home and actively doing things where they might need to login to accounts. More likely their phone is in a pocket, or on the desk in arms reach, not the other side of the house while they're on the computer.

And of course all of this assumes a phone only app or a text message while ignoring the systems that let you access your messages from other devices. Like the iOS/Mac support through an Apple ID, Android Messages supports via the web, and Phone Link on Windows will let you do as well over WiFi at home. All of those will let you access your phone messages without needing the phone directly in front of you.

[-] [email protected] 2 points 1 month ago

I think you're vastly overestimating the digital literacy of the population as a whole.

[-] [email protected] 2 points 1 month ago

Oh I realize how illiterate most people are with tech. But fully integrated systems like Apple's Keychain and integration with Mac products make that a much smaller issue than it would otherwise be on the surface for many of those users. At least, until they don't remember their Apple ID.

[-] [email protected] 21 points 1 month ago

The worst here are financial institutions. What do I want the most security on? My money.

I get that they have regulations, but it annoys me all the time.

[-] [email protected] 14 points 1 month ago

The worst part of those is when they do support 2FA, but it's text-only. No app authentication or hardware key option.

Like it's something, but it's easily the least secure option, and probably the most expensive since it requires operating an additional SMS portal for those codes.

[-] [email protected] 2 points 1 month ago

SMS 2fa on banks is not as bad as you’d think.

They settled on SMS before there really were choices, and banks are slow to change
Banks long since realized SMS was inadequate and use additional security. I imagine all banks in US, but certainly the biggest ones, invested in profiling software that looks at your behavior and device to rate every transaction by additional risk factors. They’re already pretty confident nothing bad is going on

[-] [email protected] 2 points 1 month ago

As a developer who has worked on similar systems, I can see why it likely ended up that way. Not justifying it, only understanding it.

In the case of banks, it's likely that;

They needed to make 2FA mandatory for all customers, rather than opt-in. This means they needed an MFA method which a person of any technical competency can use. SMS is the "lowest common denominator" here, so they chose it.
The cost of sending SMS messages is high, but banks are (unsurprisingly) rich and can afford it

It would be great if banks offered better MFA methods, but development time in old-school banks is often ridiculously long as it is a very risk-averse industry that is also slowed down a lot by bureaucracy. It's likely they would choose something else on the roadmap, and stick with SMS as simply "good enough"

[-] [email protected] 1 points 1 month ago

Pornhub has better account security than my bank, which ONLY has an option for a 6-digit numeric password, with no 2fa at all

[-] [email protected] -2 points 1 month ago* (last edited 1 month ago)

This one I can understand, if something somehow goes wrong with your 2FA you’re locked out of your money

[-] [email protected] 5 points 1 month ago

No you're not?! You seriously think the bank would just say "nope. No 2FA you're fucked all your monies are ours now".

[-] [email protected] 0 points 1 month ago

yeah that’s fair, I wasn’t thinking lol

[-] [email protected] 4 points 1 month ago

Not if you can walk into a branch.

[-] [email protected] 5 points 1 month ago

Not every financial institution has brick and mortar locations.

[-] [email protected] 1 points 1 month ago

I know, which is why I said IF.

[-] [email protected] 16 points 1 month ago

Because they don't feel like it and aren't required to

Just copy paste that for literally any "why aren't more companies doing (X thing that makes sense and better protects the consumer)?" questions.

[-] [email protected] 15 points 1 month ago

it takes engineering time which is not a trivial cost - accounts and identity for large orgs tend to be a lot more complex than you might think - there will likely be a few different identity stores, and multiple systems that query those stores; making sure every possible permutation works correctly can be a bit undertaking
It adds additional load to their support teams which is very expensive

The support one is a real killer for a lot of places; I've worked with a place that had a few million paying customers, and ~half of those were in a tier where a single 30 minute support call would completely negate any revenue that that customer would bring in for the year. Email support was slightly less expensive, but would still be a significant proportion of your annual profit

[-] [email protected] 2 points 1 month ago

I was going to mention the support aspect. I believe some TOTP 2FA applications have automatic online backups by default but some don't and require users to make their own backups. I can only imagine how challenging it would be to deal with users who have locked themselves out of their account due to their 2FA setup.

I had to go through that with itch.io a while back and had to verify my most recent purchases to recover my account. It was nice I was able to get it back but that in itself could be a security concern.

[-] [email protected] 9 points 1 month ago* (last edited 1 month ago)

https://2fa.directory A directory of common sites that offer (or don't offer) 2FA, which and how. I agree it should be a default feature. But maybe harvesting your full ID credentials is more juicy to many companies

[-] [email protected] 2 points 1 month ago

That’s a super useful site, thank you!

[-] [email protected] 2 points 1 month ago* (last edited 1 month ago)

The larger the organization, the larger their resources, but also usually the greater their complexity and legacy burdens. Large organizations also move slowly. All of this can delay things long after we might think they ought to have happened.

this post was submitted on 03 Jun 2024

57 points (96.7% liked)

No Stupid Questions

34333 readers

1151 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago

MODERATORS

[email protected]