I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.

I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?

  • themeatbridge@lemmy.world
    link
    fedilink
    arrow-up
    14
    ·
    6 months ago

    It’s also a pain in the ass for the user. Creating a barrier to entry decreases the likelihood that your customers will use the service. I don’t want to go find my phone to receive a text every time I want to log in to every single website.

    • halcyoncmdr@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      6 months ago

      Pain in the ass, not really.

      Text based MFA is the least secure option, and shouldn’t be used. Apps or a dedicated hardware token are the options you want, and those are pretty easy to setup.

      That also doesn’t even take into account that mobile makes up more than 50% of global web traffic now. So “going to find your phone”, you are in the minority. The majority of people are already using their phone when they are logging into something.

      A dedicated authenticator app like Authy is easy to set up. And now the most common password managers also allow generating those MFA app codes directly to login with them alongside your regular username and password. Apple’s Keychain, LastPass, and Bitwarden all support it, just to name a few.

      And we have Passkeys being implemented as an alternative to the Password/2FA system, with native support for that via things like iOS and Bitwarden, and I’m sure others as well.

        • halcyoncmdr@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          6 months ago

          My second paragraph literally points out that the majority of Internet traffic now is mobile, around 58%. More likely than not, any given person is already on their phone. No need to find your phone when it’s in your hand and you’re already looking at it.

            • halcyoncmdr@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              Possibly, but the real world is likely nowhere near that. I’d be willing to bet most people in general don’t leave their phone lying around their house randomly while they’re home and actively doing things where they might need to login to accounts. More likely their phone is in a pocket, or on the desk in arms reach, not the other side of the house while they’re on the computer.

              And of course all of this assumes a phone only app or a text message while ignoring the systems that let you access your messages from other devices. Like the iOS/Mac support through an Apple ID, Android Messages supports via the web, and Phone Link on Windows will let you do as well over WiFi at home. All of those will let you access your phone messages without needing the phone directly in front of you.

              • Thavron@lemmy.ca
                link
                fedilink
                arrow-up
                2
                ·
                6 months ago

                I think you’re vastly overestimating the digital literacy of the population as a whole.

                • halcyoncmdr@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  6 months ago

                  Oh I realize how illiterate most people are with tech. But fully integrated systems like Apple’s Keychain and integration with Mac products make that a much smaller issue than it would otherwise be on the surface for many of those users. At least, until they don’t remember their Apple ID.