Closed arush closed 7 years ago
Yep, MFA via an app would be an advantage :+1:
I was once doing something with my bank, that required me to enter a code they'd "sent me" ... Though the provider they were using was having issues ... Took over 10 minutes to arrive, by which time it had expired Lol
The first version of Teller used a TOTP as the second factor. However it didn't test that well with users. I agree TOTP is a more secure factor than SMS considering the problems with SS7 attacks. It's the main reason user password resets aren't currently possible to avoid account hijack. The code for TOTP is still in the code base, it's come back as an option for second factor in an upcoming release.
You can now use TOTP as the 2nd factor.
Firstly, love that MFA is a default standard to sign in.
However, personally I travel a lot and never have access to both my phones which results in me not being able to use cell phone text messages to sign in. E.g. today I'm in California and I can't sign in. There has also been a lot written about how cell service providers are usually the weakest part of a secure system since Vodafone (et al) customer service reps can easily be persuaded to give over account access to an imposter.
A few companies I know are moving away from SMS for this reason. I personally prefer MFA apps like Google Authenticator or the way Apple does it via a secondary device code. 1Password's chrome extension installation is another good example. LaunchKey provides MFA as a service for developers to roll their own MFA. There might be better solutions that don't depend on the phone network, that would be my preference.
Would love to hear others' thoughts.