this post was submitted on 09 Dec 2023
302 points (89.1% liked)
Technology
59398 readers
4589 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The first link is basically an "advertisment hidden in a normal, professional-looking article". All they're saying is how these ways are not secure, but most importanly, how their solution is more secure, published under their own site.
When you take this into account, their claims start to break down: while yes, email and SMS MFA might be inherently less secure since the code could be transmitted via an insecure channel, saying TOTP is not not secure because "you device can be hacked" is a kinda bad take: if your device is already hacked, you'd have a much bigger problem: even if you are using security keys, the hacker would already have access to whatever service you might be trying to protect. As for the lost/stolen case mentioned in the article, if you put TOTP code in a password manager (as most would probably do if they're doing this), that shouldn't be a problem. The only way this would be a problem is that the TOTP secret is stored in plain text, which would be the same for any authentication methods.