Submitted 5 months ago by governorkeagan@lemdro.id to [deleted]
I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.
I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?
The worst here are financial institutions. What do I want the most security on? My money.
I get that they have regulations, but it annoys me all the time.
The worst part of those is when they do support 2FA, but it’s text-only. No app authentication or hardware key option.
Like it’s something, but it’s easily the least secure option, and probably the most expensive since it requires operating an additional SMS portal for those codes.
SMS 2fa on banks is not as bad as you’d think.
As a developer who has worked on similar systems, I can see why it likely ended up that way. Not justifying it, only understanding it.
In the case of banks, it’s likely that;
They needed to make 2FA mandatory for all customers, rather than opt-in. This means they needed an MFA method which a person of any technical competency can use. SMS is the “lowest common denominator” here, so they chose it.
The cost of sending SMS messages is high, but banks are (unsurprisingly) rich and can afford it
It would be great if banks offered better MFA methods, but development time in old-school banks is often ridiculously long as it is a very risk-averse industry that is also slowed down a lot by bureaucracy. It’s likely they would choose something else on the roadmap, and stick with SMS as simply “good enough”
This one I can understand, if something Avenu somehow goes wrong with your 2FA you’re locked out of your money
No you’re not?! You seriously think the bank would just say “nope. No 2FA you’re fucked all your monies are ours now”.
Pornhub has better account security than my bank, which ONLY has an option for a 6-digit numeric password, with no 2fa at all
Because they don’t feel like it and aren’t required to
Just copy paste that for literally any “why aren’t more companies doing (X thing that makes sense and better protects the consumer)?” questions.
The support one is a real killer for a lot of places; I’ve worked with a place that had a few million paying customers, and ~half of those were in a tier where a single 30 minute support call would completely negate any revenue that that customer would bring in for the year. Email support was slightly less expensive, but would still be a significant proportion of your annual profit
I was going to mention the support aspect. I believe some TOTP 2FA applications have automatic online backups by default but some don’t and require users to make their own backups. I can only imagine how challenging it would be to deal with users who have locked themselves out of their account due to their 2FA setup.
I had to go through that with itch.io a while back and had to verify my most recent purchases to recover my account. It was nice I was able to get it back but that in itself could be a security concern.
2fa.directory A directory of common sites that offer (or don’t) 2FA, which and how
That’s a super useful site, thank you!
The larger the organization, the larger their resources, but also usually the larger greater their complexity and legacy burdens. Large organizations also move slowly. All of this can delay things long after we might think they ought to have happened.
originalucifer@moist.catsweat.com 5 months ago
its not even about bandwidth.. its about cost to complement over the risk to implement.
the big big buys have implemented as they helped define the mfa processes we all use. the new, smaller players have implemented because there are easy to implement libraries/services all over (for example, my tiny fediverse instance offers mfa)
the middle tier just havent gotten around to it, or do not see a direct benefit to doing so.
themeatbridge@lemmy.world 5 months ago
It’s also a pain in the ass for the user. Creating a barrier to entry decreases the likelihood that your customers will use the service. I don’t want to go find my phone to receive a text every time I want to log in to every single website.
user224@lemmy.sdf.org 5 months ago
It’s not like it has to be required.
halcyoncmdr@lemmy.world 5 months ago
Pain in the ass, not really.
Text based MFA is the least secure option, and shouldn’t be used. Apps or a dedicated hardware token are the options you want, and those are pretty easy to setup.
That also doesn’t even take into account that mobile makes up more than 50% of global web traffic now. So “going to find your phone”, you are in the minority. The majority of people are already using their phone when they are logging into something.
A dedicated authenticator app like Authy is easy to set up. And now the most common password managers also allow generating those MFA app codes directly to login with them alongside your regular username and password. Apple’s Keychain, LastPass, and Bitwarden all support it, just to name a few.
And we have Passkeys being implemented as an alternative to the Password/2FA system, with native support for that via things like iOS and Bitwarden, and I’m sure others as well.