> When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff.
I hate all of the half-cooked non-TOTP MFA methods that I'm forced to use. Just let me use my freaking authenticator app. If you believe that your users prefer (or maybe it's just you?) more databroker-friendly methods, then fine, but please at least provide TOTP as an option.
riedel · 2h ago
At least in Germany all the SMS 2FA has been shut off, but replaced with tons of custom 2FA apps. The security argument is certainly that they can check for 'insecure' devices. But I wonder what the empirical evidence here is and how often (compared to phishing/social engineering) a TOTP token was actually stolen. Worst thing is IMHO Microsoft now which seem to have also shut off the TOTP option and use some other propriatary 2FA scheme now. IMHO banks should simply use FIDO2 HW tokens, but with all that passkey bullshit it becomes unlikely...
cosmic_cheese · 3h ago
I wish that banks would offer TOTP. SMS is famously insecure and poorly suited for something that’s a load-bearing pillar in most of our lives, and TOTP is probably the most reasonable replacement. Unfortunately only a tiny handful of US banks offer non-SMS 2FA of any kind, and to my knowledge the one that does (Scwhab I think?) requires the use of a hardware gadget even though it’s standard TOTP (which people have written python scripts to extract the necessary bits of info from).
hinkley · 2h ago
To this day I'm just amazed that World of Warcraft tried to mandate security tokens in a time when E*Trade barely supported them.
Why is a video game embarrassing fintech?
abdullahkhalids · 2h ago
World of Warcraft was supporting tens of thousands poor teenagers in developing countries, who would farm high value items in the game and then sell the account /items to rich people who didn't want to put in the hard work.
There was (maybe still is) lots of money to be made by hacking accounts and selling them.
WoW was fintech!
toomuchtodo · 3h ago
Fidelity offers TOTP standard support, works with the native Apple Password app/keychain.
FuriouslyAdrift · 4h ago
A fingerprint locked NFC Yubikey seems to be the preferred with all ages at work. Everyone likes it as long as it is once per login to the computer (which basically means we have to use Edge for everything which is fine).
Everyone universally hates passkeys because they never work right.
averageRoyalty · 1d ago
Quite funny. Amusingly, the self-portrait method is effectively the signatures we considered acceptable for financial and legal transactions for many decades - make up a scribble and compare it to a scribble you do previously - if it's close enough and you _seem_ to be the guy, we're good.
sunrunner · 5h ago
> make up a scribble and compare it to a scribble you do previously
I'll take "Lies that your parents told you about how the world works" for 500, Alex.
Serious question though, I thought the whole signature thing was more of a legally binding thing for the signer asserting themselves as X, sort of like checking the "I'm over 18" box. Sort of a "Well we asked you the question, it's not our fault if you lied" type thing.
j-bos · 5h ago
I remember opening a bank account and having to sign a specific card that the bank would keep solely to verify my signature on checks.
boogieknite · 3h ago
"lies that your American parents told you about how the world works"
i went to Germany as an exchange student, scribbled out my random scribble for my travellers check, and they denied me because my signature wasn't close enough to their record. heard a similar story from a friend who visited Japan
evantbyrne · 3h ago
Signatures are the tip of the iceberg. Plenty of other forms of bs forensics live on in the legal system in some shape or form. e.g., fingerprint analysis, polygraphs, field sobriety tests, devices that literally do nothing, trainings on reading facial expressions, and so on. If you can take a two week course on it, then chances are there is some cop somewhere using it to detain people.
progbits · 3h ago
I always do a random scribble. If I want to later deny signing something good luck proving its me, won't match any of my other signatures. At least that's the theory, this is mostly a joke to me and I don't care if it works.
thcipriani · 3h ago
Poker hands would pretty cool for encoding things that you have to recognize quickly; e.g., key fingerprints. If there are 2.5M unique hands then encoding 256 bits of information requires 12(ish) poker hands.
smokel · 3h ago
One aspect I find puzzling is why most two-factor authentication (2FA) applications restrict authentication to only a single valid code at any given time. This constraint inevitably creates a window during which it is inconvenient or impractical to copy the code to another device. Allowing the previous code to remain briefly valid would eliminate this unnecessary delay, enhancing usability without significantly compromising security.
conradludgate · 3h ago
Have you actually tried writing a code close to the expiry window? I've definitely submitted codes a few seconds after the expiry and had them still be accepted
This is all in the standard, most places have implemented one of the options. I've implemented all of the options at least once. It's configurable based on how lax/secure you want to be.
Most places I've dealt with allow the previous and next code to also be used, so instead of a 30s window you actually have a 1.5m window.
fredley · 3h ago
FWIW 2FAS starts to show you the next code near the end of the window, this is very handy https://2fas.com/
brewdad · 3h ago
Ente Auth displays the current code and the next code so you can choose whichever best meets the time remaining until the changeover. It’s a nice usability feature.
JamesSwift · 2h ago
I believe every single 2fa system I've used accepts either the current code or the one directly prior.
_Algernon_ · 3h ago
Since totp codes are time based and there is no guarantee that time of the generating device, and the verifying device are exactly identical they usually allow some room for error. You'll probably be fine entering the code before or after for example.
Liftyee · 3h ago
Pedantry warning: I'm not convinced that some of these methods qualify as a second factor of authentication, based on the "something you know, something you have, something you are" model. They're both "something you know", right?
1970-01-01 · 4h ago
These are such terrible ideas that I expect someone already has one of them on github.
anteloper · 3h ago
Why do we like entropy in auth factors?
noleary · 3h ago
Imagine two different password strength standards:
1. Just a 4 digit numeric PIN like `1981`
2. A 20 character upper/lower/numeric/special-character password like `qmd1tkf7mwa.PQB0qrz$`
--
The PIN has lower entropy and is therefore a lot easier to brute force.
I haven't calculated this stuff myself -- I just used Wolfram Alpha -- but it looks like the PIN would take <1 second to brute force, while the 20 character password would take 7.6 * 10^25 years. [1] [2]
I hate all of the half-cooked non-TOTP MFA methods that I'm forced to use. Just let me use my freaking authenticator app. If you believe that your users prefer (or maybe it's just you?) more databroker-friendly methods, then fine, but please at least provide TOTP as an option.
Why is a video game embarrassing fintech?
There was (maybe still is) lots of money to be made by hacking accounts and selling them.
WoW was fintech!
Everyone universally hates passkeys because they never work right.
I'll take "Lies that your parents told you about how the world works" for 500, Alex.
Serious question though, I thought the whole signature thing was more of a legally binding thing for the signer asserting themselves as X, sort of like checking the "I'm over 18" box. Sort of a "Well we asked you the question, it's not our fault if you lied" type thing.
i went to Germany as an exchange student, scribbled out my random scribble for my travellers check, and they denied me because my signature wasn't close enough to their record. heard a similar story from a friend who visited Japan
This is all in the standard, most places have implemented one of the options. I've implemented all of the options at least once. It's configurable based on how lax/secure you want to be.
Most places I've dealt with allow the previous and next code to also be used, so instead of a 30s window you actually have a 1.5m window.
1. Just a 4 digit numeric PIN like `1981`
2. A 20 character upper/lower/numeric/special-character password like `qmd1tkf7mwa.PQB0qrz$`
--
The PIN has lower entropy and is therefore a lot easier to brute force.
I haven't calculated this stuff myself -- I just used Wolfram Alpha -- but it looks like the PIN would take <1 second to brute force, while the 20 character password would take 7.6 * 10^25 years. [1] [2]
--
[1] https://www.wolframalpha.com/input?i=password+strength+qmd1t...
[2] https://www.wolframalpha.com/input?i=password+strength+1981