[vmception]

"sms based one time passcodes" needs to die

and the companies that know better should be fined and sanctioned, particular the ones that are demanding SMS based OTP so they can also add your phone number to their social graph

[jsnell]

Nonsense. SMS is a great recovery factor, both for people who forget their password, and for those who lose access to their other second factors. (E.g. email address or a smartphone app). The thing that makes SMS uniquely good at this is that there is infrastructure around for people to replace their lost SIM cards, and that SMS available globally (vs regional identity systems like the bank ids in Nordic countries).

The problem is purely with how some companies are applying SMS as an auth factor. In cases where SMS us being used as a recovery factor, it should not be allow for immediate recovery. Instead the user should be notified via other channels (email, phone notifications) about the recovery attempt, be given the opportunity to reject it, and for the recovery to only succeed if it is not denied after e.g. 3 days.

[cortesoft]

Not being able to access your account for 3 days when you need to recover your password is not going to be a viable business decision for most services. I think you are SEVERELY underestimating how often the average user needs to recover their password.

[caconym_]

My partner resets her Google password every time she logs in. It's just part of the normal flow for her. She probably does it with everything, but I'm not listed as a recovery on the other things.

Something better would be great. She's probably an extreme example, but I think we techy people tend to have a warped view of how comfortable "normal people" are with effective password management.

[jsnell]

Google has the following. Would you consider it to be "something better"?

https://support.google.com/accounts/answer/6361026

I.e. use smartphone prompts as the first factor (without causing password resets), while the password is just a backup when the phone is not available.

[enriquto]

> My partner resets her Google password every time she logs in. It's just part of the normal flow for her.

I also do that everywhere. As a matter of principle, I have decided to not remember any passwords in my life. I call it "login by email".

[marshmallow_12]

tell me. On some little-used accounts of mine i need a new password for every login. Then there's one particular account which never lets me login. I have to make a new password every time...

[dceddia]

I had one like this. I’d type the new password, confirm it, get “success!” And then type the exact same thing to log in and it would fail.

Turned out that the text box for entering the new password allowed a different number of characters than the one for logging in.

[marshmallow_12]

wha? Who does that? I don't think that's my problem, though i go crazy every time my password isn't recognized, i go through the process and this message comes up "you must use a different password". And i can't even just go back to the login menu. It's too late! And i paid money for this account.

[vmception]

I know a popular bank integral to the functioning and liquidity of an entire state whose "eBanking" features are like this, in 2021.

[devoutsalsa]

I hate having to use a smartphone for auth in general. Especially when I have an app on my phone that expects me to be able to receive an SMS on the same phone. It’s like I need my phone to recover having lost my phone.

[nickjj]

> I hate having to use a smartphone for auth in general.

Same, especially since I don't have a smartphone.

Often times I'll go a week without looking at my phone and by then it has lost its charge so if an app requires a OTP to do something I often need to wait a while before it's charged enough to receive a text.

I do have a Google Voice number but I've mistakenly used my real number for a few services that frequently require SMS confirmations.

[devoutsalsa]

I use Google Voice when at all possible, but there are a few cases where it doesn’t work. The easiest way to piss me off is to make me use a USA number that isn’t my Google Voice number! It doesn’t help that some services won’t even let me log from a non-USA IP when I’m traveling.

[jfrunyon]

> SMS is a great recovery factor

No. Send me an email, let me upload my ID, anything but SMS. SMS is completely insecure. Not only can it be passively sniffed along the way, not only can malicious actors intercept it without access, not only can pretty much any employee at my telco access it, not only can pretty much any employee at my telco get tricked into intercepting it, but by default (and therefore for the vast majority of users), it'll show up while the phone is locked!

[davchana]

Google is also a culprit in this same way. Activate normal 2fa, but when you click forgot password, conveniently it says Should we send a code to your phone?

[tialaramex]

Google does not offer me this option, I just checked.

If I claim to have forgotten my password, the first idea it has is that I should prove I still have my Security Key

Then it suggests it could send codes to my GMail (which might actually be useful if I have another device signed into that) or to another email address it knows about (it deliberately redacts part of each address in case I am not me)

Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years, 'pass' means I keep a complete git history of Google passwords but I am reluctant to mess with this

Then it says too bad, it cannot authenticate me.

[jfrunyon]

> Then it resorts to suggesting I try passwords I remember using on this account. I don't know what happens if I give it a password I haven't used for a few years

I can't say what it does currently but it used to say something along the lines of "you haven't used that password in a while. try something else."

[177tcca]

It gives you a better case that you are the owner of the account, if you were to get a human to review.

[jfrunyon]

Note that it sends a code to your phone which is logged into your Google account, via a (presumably/allegedly, but at least it's not SMS) secure channel.

(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)

[davchana]

Oh no, if I cycle enough through Other Ways or I don't have my phone (while having my phone number connected with Google Account), it offers me to confirm my phone number with showing number as *** & last 4 digits.

When I confirm the phone number, it sends a 6 digit SMS code prefixed with G-, like G-123456 The input box on page has already a read only G- text, & then a box for 6 digit code. After I confirm code from SMS, it gives the option to reset password.

Most of the forgot password ways to reset password is Tap on other Device prompt OR get a code from Google App.

Sample Google SMS to reset code with fictional number.

```G-007007 is your Google verification code.```

After I removed the phone number, now if i click Other Ways enough times, it simply says, give us the information about last time logged, creation date, some address I email frequently, & some other stuff, & sats it will take few days for them to get back to me.

[jfrunyon]

Interesting. I can't get it to give me any options like that personally. (Maybe because I have a security key active?)

[davchana]

Oh yeah, I also agree n believe that's the reason. Although having a key active does not mean the super secure government level threat protection, if one activates that threat from state protection, many of the account recovery options become unavailable.

I assume the number of account recovery options diminish with increasing levels of protection.

[pta2002]

I have a security key active but it still offers to send me an SMS code for some reason (worryingly, to a phone number I no longer have... should probably get on to changing that)

[vmception]

One Time Passcode seeds are a globally available ID system.

and I really don't call them second factor, that conflates the whole issue of where they are stored, how they are synced and used. people should be able to recover access to their one time passcode seed and there is little excuse for this.

[jsnell]

TOTP is globally available, but does not have an established way of recovering your key if it's lost. ("Little excuse" or not, people will not back up the key or print backup codes.)

While if I lose my SIM card, I'll walk to one of my operator's shops (there's probably one within 1km), show them my ID, and they'll replace the SIM. It's the only digital identifier that I could bootstrap from if I lost access to everything in one go.