[oefrha]

TOTP is great for you and me, but the average Joe totally does lose their phone and get locked out. Forget recovery codes, what the hell are those, they can’t even keep track of passwords. Authy provides encrypted backups you say? See “can’t keep track passwords”.

Don’t even get me started on physical security keys. I could hardly even convince myself to use one, let alone always having at least one backup. Imagine asking my mom to do that.

At the end of the day, the average Joe needs a recovery mechanism that’s not tied to their memory and doesn’t make their everyday interactions a pita. Phone number is just one step below government IDs (which people would be uncomfortable to supply for most sites) and the challenge response could be easily automated, making it ideal. It’s being ruined because of the incompetence of telecom operators.

I wonder if requiring physical appearance with government ID for a SIM change, and making fraudulent SIM issuance a fireable offense would drastically cut down on SIM jacking. (Before anyone points it out, I do envision fraudsters applying for telecom jobs just to do this.)

Now, I’m not arguing TOTP without recovery phone number shouldn’t be an option. I opt into it whenever possible.

[romwell]

>Don’t even get me started on physical security keys

Well, I haven't seen a single person who wouldn't have one. We use them for cars and houses, though.

And credit/debit cards, I bet you have them too. It's a physical security key to the ATM. Classic 2FA spirit: something you have (the card) + something you know (PIN code).

The point is, people don't have problems with physical security keys. Programmers do (and hardware vendors) do, which means no standards and clunky UI.

[oefrha]

Physical key keys go into designated keyholes, and give you physical access to something. Physical cards go into dedicated machines, and give you access to a physical transaction, cash, deposit box, etc. Physical objects for physical access.

Physical U2F keys get in the way of all-digital flows. They also need to interact with all kinds of non-dedicated devices, something they do a less than stellar job of. Bluetooth and NFC keys are young, setup process isn’t great and reliability seems to vary; USB keys require a USB port which might be occupied by other things or available only in another physically incompatible shape.

[romwell]

So, we are agreeing?

The keys aren't the problem, the engineers are. In this day and age, every device should have a digital keyhole (NFC, whatever) - and it should not take more than "insert or hold X next to Y".

Re: "physical process": something tells me you didn't type this message telepathically. UX is a physical process, and 99.99% of the time, it's doing something with your hands anyway. (Alexa/Siri/OK Google are a different beast).

If every other phone can have a fingerprint scanner, it can have something for actual keys too.

Moreover, imagine this: your devices could have built-in hardware keys that you can register with your bank/etc should you desire that convenience.

Still proper 2FA: your phone number is just an account, which is at the whim of your service provider, but your device is something you have.

[beatgammit]

Before pushing stuff like TOTP, we need to get everyone on board with using a password manager correctly. I use one and it's a quality of life improvement as well as a security improvement. I only have to remember one password, and I have all of my credentials on my phone and my browser. It's set to automatically lock after some minutes, so I'm secure most of the time. I just checked and I have over 100 passwords in my password manager, and there's no way I would be able to have a unique password for each one and remember them all.

It's a bit of an "eggs in one basket" situation, but given that people tend to use the same password everywhere, I see it as strictly a step up since it's much less likely for your password manager to be compromised (targeted attack in most cases) than for a site to be hacked.

Once everyone is using password managers consistently, then we can start to talk about TOTP and other 2FA tools, and at first only use it to secure the password manager.

Once we solve the password manager problem, most other problems go away. You don't need to reset passwords if you have it in your password database (your computer won't forget it). You don't have to come up with passwords that match some arbitrary set of requirements, you let your computer do that. If you get recovery codes, stick them next to your passwords in your password manager. If there's a breach, your password manager can likely tell you which accounts are affected, and you can just change those instead of every site that you use that password on.

So yeah, 2FA is nice, but improving how people use the first factor is far more important and actually makes peoples' lives easier.

[oefrha]

I have pushed my parents to use a password manager multiple times over the years but failed (it’s as simple as adding them to my existing 1Password subscription). My father being a software engineer out of all professions.