|
|
|
|
|
|
by anaphor
4446 days ago
|
|
|
>why do many companies use SMS as secondary auth (for the "2" in 2-factor)? Because they don't know about TOTP or HOTP, and they instead decided to use a terribly insecure protocol as the basis for user authentication? The onus is on you to prove SMS is better than a shared secret + a nonce. |
|
|
If you don't use TOTP, someone can login to your account just by knowing the password which they can use from almost anywhere. If you were to only use TOTP, they'd need your phone. To me them stealing your phone is tougher than stealing or guessing your password.