• DahGangalang@infosec.pub
    link
    fedilink
    arrow-up
    19
    ·
    3 days ago

    I bet its the cheapest and/or easiest to implement. Why do more than the bare minimum, amirite?

    ^I feel like mine is a bad faith opinion, but I also feel passionately about this and want to ensure your post is getting some level of engagement so it can maybe get some proper discussion going.

    • pivot_root@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      3 days ago

      A cynical thought: what if it’s actually less risky to make 2FA someone else’s fault when it fails, rather than worry about ever having to be held accountable for an insecure implementation they created.

      • DahGangalang@infosec.pub
        link
        fedilink
        arrow-up
        3
        ·
        3 days ago

        Thats a good point.

        I expect the courts would uphold that flavor of argument too (at least in the U.S.; I expect the same in other countries, but don’t feel comfortable speaking for systems I’m not at all familiar with).

    • ricecake@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      3 days ago

      I mean, you’re not wrong, just a hair off. It’s the most universally possible to implement.

      Every version of every phone can support SMS, and no one worries that someone is spying on them when they get one.

      SMS is a terrible solution, but it’s extremely easy to implement, and very accepted by people at large. That makes it all those things you mentioned, but it’s backed by a very legitimate motivation.

      In other contexts this explains part of the popularity of federated signin systems, since users may not trust you, but they probably trust their email provider, and if you can piggyback off their MFA, you don’t have to hope the user will find you special enough to do the extra work.

      Dedicated phone apps have a similar advantage, since you can leverage the phones built-in identity management.

      Passkeys are currently being pushed very hard by security folks because, if done right, you can make the user more secure while making their sign-in process simpler, and letting them need to remember less and not install or manage anything.

      You still have the ultimate issue of the atypical user who is valid and can authenticate, but for whatever reason has decided to only posess the dumbest of dumb phones, and can only accept SMS or phone calls.

    • subtext@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      3 days ago

      I would wonder if they have done the cost / benefit of having to have support staff to help boomers who can’t use a TOTP app vs the cost of covering losses from SIM-swapping attacks. It’s probably a significant amount of money to hire all the people needed to support every grandma who can’t figure out where the six numbers come from.