I’ve been going through updating all of my accounts (passwords, 2FA, etc.), and I’ve noticed that there are a lot of sites that don’t offer any form of MFA.

I can understand smaller services that might not have the bandwidth, but surely larger organisations are able to get this setup?

  • zorro@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    ·
    5 months ago

    The worst here are financial institutions. What do I want the most security on? My money.

    I get that they have regulations, but it annoys me all the time.

    • halcyoncmdr@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      5 months ago

      The worst part of those is when they do support 2FA, but it’s text-only. No app authentication or hardware key option.

      Like it’s something, but it’s easily the least secure option, and probably the most expensive since it requires operating an additional SMS portal for those codes.

    • AA5B@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      SMS 2fa on banks is not as bad as you’d think.

      1. They settled on SMS before there really were choices, and banks are slow to change
      2. Banks long since realized SMS was inadequate and use additional security. I imagine all banks in US, but certainly the biggest ones, invested in profiling software that looks at your behavior and device to rate every transaction by additional risk factors. They’re already pretty confident nothing bad is going on
    • Anas@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      5 months ago

      This one I can understand, if something somehow goes wrong with your 2FA you’re locked out of your money

    • tiramichu@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      As a developer who has worked on similar systems, I can see why it likely ended up that way. Not justifying it, only understanding it.

      In the case of banks, it’s likely that;

      • They needed to make 2FA mandatory for all customers, rather than opt-in. This means they needed an MFA method which a person of any technical competency can use. SMS is the “lowest common denominator” here, so they chose it.

      • The cost of sending SMS messages is high, but banks are (unsurprisingly) rich and can afford it

      It would be great if banks offered better MFA methods, but development time in old-school banks is often ridiculously long as it is a very risk-averse industry that is also slowed down a lot by bureaucracy. It’s likely they would choose something else on the roadmap, and stick with SMS as simply “good enough”

    • dinckel@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Pornhub has better account security than my bank, which ONLY has an option for a 6-digit numeric password, with no 2fa at all