Hacker News new | ask | show | jobs
by Knee_Pain 1054 days ago
SMS is not the way to go and you are conflating capabilities with poor engineering.

You cannot install a barebones TOTP app on your Nokia 3310 because it is closed source.

Most services don't offer third party TOTP because they are pressured into pushing their shitty proprietary apps.

But TOTP not only is more secure but it's completely offline. It's close to the best solution and totally exists right now
2 comments
yomlica8 1054 days ago
This is the problem though. SMS was pushed early on since it was great way to identify and track users in addition to being easy for most of them to use. It was never as good of a choice as TOTP, but it was easier to get users to use. But now there is of momentum behind SMS and sporadic support of things like TOTP.

Most of the new alternatives seem focused on pushing lock-in traps and are complicated for users to understand or use. If they're going to lose user tracking of the phone number they want something even worse to replace it, not something open like TOTP.

link
nottorp 1054 days ago
Well I have a smartphone but I still don't want a shitty app for each service.

What's all this about SMS being insecure? I never heard of phone numbers being hijacked in my country (except in the case of physically stolen phones ofc). Is this another consequence of US making it so easy to steal an identity?

link
Knee_Pain 1054 days ago
TOTP does not require one app for each service, plus phone scams and sim cloning is rampant. Seems you have limited experience un both subjects
link
nottorp 1054 days ago
> TOTP does not require one app for each service

That is, if your vendors all agree on something.

> Seems you have limited experience un both subjects

Yes, also limited experience on identity theft. Care to comment on my suspicion?

link
mcronce 1054 days ago
TOTP is a standard; if your vendor supports it, that _is_ them agreeing on something.
link
_flux 1054 days ago
I have a bunch of vendors (e.g. Microsoft, Google, Gitlab, VPN, others) in the same OTP app in my phone, so my belief is that they seem to agree just fine.

There are of course examples of vendors that don't. I think Steam is one of them. And my bank.

link