Technology

As someone who has had to walk the "I don't do computers" public through basic things over the phone, I can confirm that yes, a lot of people are way too lazy to learn anything new. They will instead call the support folks and blast some poor person just trying to deal with their day. Call center volume goes up anytime any barrier is added. Agreed though, SMS OTP is constantly becoming less effective. Email OTP is somewhat pointless.

Here's one that annoyed me this week. Juniper - the enterprise router people - require you to have an account to do their training. That's a web account that won't let you use more than 20 chars in your password, and won't let you paste a password.

Not 2fa, I'll grant you, but it's from the same bucket of dumb insecure shit that you're talking about.

Yeah, they just want your phone number.

It's against our company policy to let users do 2FA over SMS. Only secure options are allowed.

Because our requirements come from a different business unit that has no understanding of their task, only a checklist of features that need to be implemented. "2FA" is one of those things, and we're tasked to take the easiest route possible.

Do you know how hard it is to implement TOTP? It took me two hours to implement it in my email service. You can't expect these multimillion dollar corporations to pay an engineer for two whole hours of work to implement a tested and proven standard.

Simple answer. Our users complained about downloading an app to login to the app they just downloaded.

Users don’t care. They don’t want to download yet another app just to login. They want to use what they already have, like sms or email.

I can't answer your question but it's particularly annoying for me because I travel a lot for work. Sending me an SMS message when I'm in the middle of Africa isn't going to work. (In fact I found a way to make it work by enabling wifi calling with my US cell provider.. but I shouldn't have to jump through hoops to verify my identity)

I think it’s because TOTP requires some sort of initial token sync that is more complicated than entering a telephone number. There’s also no need to have people backup codes etc. To use Authy for example I need to photograph a QR code and have a smart phone.

Text message as a solution works on older non-smart phones so it’s possibly the “most widely accessible” solution.

From a backend perspective as well it’s just an API text $random to $phone.

Support. Explaining what OTP is to my mother would be impossible. Getting her to download an app-even harder. Companies (like mine) have to develop for the lowest common denominator. Email, sms, voice call, snail mail. That’s all we have.

Some companies main users that they want to protect are customers who consider security to be having one shared password written on the noticeboard in the office. Sadly, sms is just an easier sell to a lot of users, and even getting them to do that can be a nightmare.

As for why proper TOTP isn't supported as well... the cynic in me gives you the answer "the auditor required we implement 2fa, we have implemented sms 2fa, now go implement shiny feature x instead of wasting time" is probably a common corporate response.

Steam is using their own implementation that is also used for getting push notifications when selling an item on their kind of marketplace.

I don't use that feature, so having a standard 2FA would be nice as I could back it up like all the others..

I understand why people want 2FA, but I'm just not that worried about it and wish it was a choice. I am so fucking tired of pulling my phone out every single time I want to use certain applications on my computer. I don't care if these accounts get hacked, frankly, I have no money invested in them, so let me just choose to be risky for convenience sake.

Mobile apps should be fairly obvious. It’s drives use of their application which is something they want. For most everything else, everyone* already has a phone and can do SMS, though it’s being proven to be more insecure.

Both of those options meet their needs, the needs of the customer are secondary.

So, the real reason is because they're usually not implementing it themselves, and the service they're using has an array of options, and they went for the most "user friendly" approaches.
Registering an authenticator or typing numbers is viewed as hard by a lot of people, so SMS or an push notification are viewed as the easy route.

Mobile apps can suck a fart. I hate installing apps when the browser works perfectly fine.

SMS is way less secure but it is convenient for the masses to get your grandma easily using 2FA without any apps or more complex setup. It also doesn't require internet like an app would.

I personally use Fido2/uauth > TOTP > Email > SMS.

Maybe they themselves are too dumb to understand TOTP. Or incapable of being humble enough to study standards / use them or even think for a second that those might be standards. I guess the fact that most software is done by consulting companies with armies of fresh graduates doesn't help either.

I've 14 items in Authy, and basically never used SMS as 2FA. Only to validate my identity on first signup. The only time SMS was used as 2FA for me was by the company I had an internship in programming in.