[orev]

>> Yes, absolutely. Recovering lost TOTP keys in a secure way is a difficult problem, and this happens all the time when people get new phones. With SMS the code is tied to your account, not the device.

> You can store your backup codes in any number of ways. The easiest being to just download them and have them automatically backed up to Google Photos/ iCloud.

As soon as the lost TOTP keys was mentioned, this is exactly the type of response I was expecting, and it shows how far out of touch tech people are with “normal” people.

MFA login is needed because general people are so bad at managing their passwords (using simple ones, re-using ones that have been leaked, etc) that the tech side had to just give up asking and start forcing everyone to use what is essentially a one time password.

If users were conscientious enough to know how to store backup codes, etc, then we wouldn’t have the problem of bad passwords to begin with. So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

[insanitybit]

> So you’re expecting people with bad habits in one area to magically have good habits in another area that only exists because they couldn’t properly solve the original problem.

Not really, no. I'm actually advocating against non-FIDO2 2FA entirely because a strong password is just as good and every browser has a password manager built in now. 2FA doesn't add security, SMS 2FA makes things worse.

[hn_throwaway_99]

Built-in password managers (at least Chrome's) suck:

1. These days, most people use passwords across browsers and native apps. In-browser password managers don't really support this use case well, at all.

2. At least in Chrome's, you can't manually add a password or add any notes.

3. Sometimes login domains change, and since the password is only tied to the domain (not a generic name), it's easy for passwords to get lost.

Again, nobody is really disagreeing with you that the situation is less than ideal or that there are more secure alternatives. But you seem unwilling to accept that a huge swath of the population sucks at secure password management, which is why SMS 2FA is a "lowest common denominator" option to improve security.

[insanitybit]

I think the main contention here is that I'd say users should just do nothing. SMS 2FA sucks and it's going to be a horrible tech debt that we're paying off for decades. We have better alternatives that, for a huge number of users, are perfectly acceptable. For everyone else, yes, they will have to use stronger passwords.

I really don't believe that there's some huge cross section of users who simultaneously:

a) Will go through the hassle of enabling and using SMS 2FA

b) Won't go through the hassle of using another 2FA method - email, totp, any smart phone for u2f, or a dedicated token

c) Won't use relatively unique passwords for high value websites, password manager or not

IMO SMS 2FA is, however, likely convincing users that they are safer than they truly are, and gives companies an excuse to do what's easy and not what's safe.

I mean, some banks even hand out hardware tokens to customers. I'd suggest that instead of SMS 2FA being treated as acceptable we add more pressure to improve the other systems, lower their prices, etc. Hardware keys should be effectively free.