[Phurist]

Why would I want to buy a smartphone, just to log in to some service? Why would I want to install some crappy auth app on my computer (That most likely does not have a Flatpak for it even)?

Most places do not support Yubikey... so getting SMS on my Nokia 3310 is the best option for me.

SMS is the way to go.

[vladvasiliu]

You don't need a crappy app. Just write down the seed someplace and compute the TOTP yourself. It's not rocket science.

https://en.wikipedia.org/wiki/Time-based_one-time_password

edit: here's a cli tool for doing this: https://www.nongnu.org/oath-toolkit/oathtool.1.html

[orangepurple]

KeepassXC and KeepassDroid support TOTP tokens in the same record as your username and password for more convenience too

[circularfoyers]

Furthermore, Flatpaks do exist since, like you've stated, it is easy to implement https://flathub.org/apps/search?q=totp

[friendly_wizard]

This is a pretty good one

https://github.com/arcanericky/totp

[loxdalen]

It's the way to go for you since it is convenient for you? Doesn't really help against the security problems with SMS. Someone can for example socially engineer a phone company operator to steal your phone number.

[ThePowerOfFuet]

SMS is the way to go until your operator swaps the SIM on your line without your approval.

SMS is the way to go until you need to sign in from somewhere you don't have cellular coverage.

TOTP is superior in almost every way. Failing that, sending a login link (or code) to the user's email address is more secure than SMS.

[pjmlp]

Which feature phones usually used by aging population support TOTP?

[notpushkin]

Any phone that supports J2ME should do, there's several apps:

https://github.com/kwart/totp-me

https://github.com/baumschubser/hotpants

(Couldn't find one that supports QR codes, though I don't see why that would be hard to implement)

[pjmlp]

I guess there is a business figuring out how to compile out of github into phones for non-techies, specially in the aging population.

[notpushkin]

Hopefully their relatives can remember how to install JAR/JAD apps: https://github.com/baumschubser/hotpants/releases

(Yeah, the UX could be better probably, but hey.)

[pjmlp]

Sure, because everyone has a relative that knows technical stuff, why there is a hiring problem in IT at all.

[Knee_Pain]

SMS is not the way to go and you are conflating capabilities with poor engineering.

You cannot install a barebones TOTP app on your Nokia 3310 because it is closed source.

Most services don't offer third party TOTP because they are pressured into pushing their shitty proprietary apps.

But TOTP not only is more secure but it's completely offline. It's close to the best solution and totally exists right now

[yomlica8]

This is the problem though. SMS was pushed early on since it was great way to identify and track users in addition to being easy for most of them to use. It was never as good of a choice as TOTP, but it was easier to get users to use. But now there is of momentum behind SMS and sporadic support of things like TOTP.

Most of the new alternatives seem focused on pushing lock-in traps and are complicated for users to understand or use. If they're going to lose user tracking of the phone number they want something even worse to replace it, not something open like TOTP.

[nottorp]

Well I have a smartphone but I still don't want a shitty app for each service.

What's all this about SMS being insecure? I never heard of phone numbers being hijacked in my country (except in the case of physically stolen phones ofc). Is this another consequence of US making it so easy to steal an identity?

[Knee_Pain]

TOTP does not require one app for each service, plus phone scams and sim cloning is rampant. Seems you have limited experience un both subjects

[nottorp]

> TOTP does not require one app for each service

That is, if your vendors all agree on something.

> Seems you have limited experience un both subjects

Yes, also limited experience on identity theft. Care to comment on my suspicion?

[mcronce]

TOTP is a standard; if your vendor supports it, that _is_ them agreeing on something.

[_flux]

I have a bunch of vendors (e.g. Microsoft, Google, Gitlab, VPN, others) in the same OTP app in my phone, so my belief is that they seem to agree just fine.

There are of course examples of vendors that don't. I think Steam is one of them. And my bank.