Email or username:

Password:

Forgot your password?
Top-level
Matthew Green

Smart people keep saying things like “but authenticator apps will still be free and those won’t require you to pay, plus they’re more secure.” That’s true! But also completely misunderstands what’s about to happen.

5 comments
Matthew Green

What sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.

Matthew Green

The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.

Matthew Green

Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.

Dr. Quadragon ❌

@matthew_d_green It also *should* be an open standard with libraries freely available in all platforms, and *should* be platform- and vendor-independent.

Ваня

@drq @matthew_d_green только надо поменять SHOULD на MUST, и тогда ваш RFC точно примут)

Go Up