This is something I am seeing more and more of. As companies start to either offer or require 2FA for accounts, they don’t follow the common standards or even offer any sort of options. One thing that drives me nuts is when they don’t offer TOTP as an option. It seems like many companies either use text messages to send a code or use some built in method of authorizing a sign in from a mobile device app.

What are your thoughts on why they want to take the time to maintain this extra feature in an app when you could have just implemented a TOTP method that probably can be imported as an existing library with much less effort?

Are they assuming that people are too dumb to understand TOTP? Are they wanting phone numbers from people? Is it to force people to install their apps?

*edit: I also really want to know what not at least give people the option to choose something like TOTP. They can still offer mobile app verification, SMS, email, carrier pigeon, etc for other options but at least give the user a choice of something besides an insecure method like SMS.

  • DigitalDilemma@lemmy.ml
    link
    fedilink
    arrow-up
    40
    ·
    edit-2
    1 year ago

    Here’s one that annoyed me this week. Juniper - the enterprise router people - require you to have an account to do their training. That’s a web account that won’t let you use more than 20 chars in your password, and won’t let you paste a password.

    Not 2fa, I’ll grant you, but it’s from the same bucket of dumb insecure shit that you’re talking about.

    • kill_dash_nine@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      31
      ·
      1 year ago

      The fields where you can’t paste a password or any other types of data like credit card info absolutely kill me. It’s doing the exact opposite of adding any level of security and it’s just infuriating.

      My favorite recently is my company has TOTP 2FA but you can’t paste the 6 digits. You have to type in one digit at a time, each being its own box. Paste fails in every browser I’ve tried. It’s just a shitty user interface.

      • jo3shmoo@sh.itjust.works
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        A bunch of companies seem to be implementing that version (not being able to paste the 6 digits). It’s just asinine and makes me think less of any product / company using that style.

      • DeltaTangoLima@reddrefuge.com
        link
        fedilink
        English
        arrow-up
        8
        ·
        edit-2
        1 year ago

        I hate all of these things so much. Like somehow my clipboard (which any halfway decent password manager either doesn’t use, or scrubs clean after use) is the weak link in the security chain.

        I’ll go one better to @digdilem@lemmy.ml’s example: I once created an account on a “security” vendor’s website (quoted, because they acquired security products, rather than developing them) that limited passwords to 12 characters. They didn’t tell you - they just shortened it before (presumably) storing the hash.

        Fun and fucking games trying to logon each time, when your password manager has stored the random 16 char password you thought you were setting.

    • prole@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      Passwords with such low char limits drive me nuts. I’ve been using passphrases because they can be more secure and easy to remember. I hate when there isn’t enough space in the field for my pw. Just… Why??