[sedatk]

Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.

Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.

I don't even know how recovery scenarios work for passkeys.

[sir_brickalot]

Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.

[kube-system]

Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.

[TingPing]

You aren’t wrong. It is built in to Googles and Apples though, should be widely used.

[raron]

> Losing TOTP is easy. Lose your phone and it's gone.

That is the main point of it. That's why it is called a second factor.

> It means game over for a regular person.

It just means you have to go to the nearest branch.

[sneak]

Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.

[sedatk]

What do you think such a recovery mechanism would look like without SMS?

[Uvix]

Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.

As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.

[sedatk]

Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.

Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.

SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.

[Uvix]

SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.

[justsomehnguy]

If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.

[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.

[kbolino]

How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.

[loeg]

Show up in person with ID.

[kube-system]

That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.

https://en.wikipedia.org/wiki/Direct_bank

[loeg]

We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.

[kube-system]

Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.

Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.

[sedatk]

Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.

[loeg]

> There is nowhere to show up.

There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.

[mixmastamyk]

MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.

[Detrytus]

Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.

[sedatk]

You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.