My excuse is I hate using TOTP. Stop making me open an app, wait for it to load, read numbers, type it in. If you have a situation where you have to auth multiple times, it's even more annoying. Other modern methods are less annoying and (arguably) more secure.
Not only that, but I have three authenticator apps installed because each service only works with one (or select ones).
But when I try to log in, they give no indication of which one I have to use.
So I finally started annotating which one in my password manager, so it's a whole extra step to load up that as well, and then search for the app on my phone.
Except it's worse: both the Google and Microsoft authenticators are just named "Authenticator", identically. At least the Google icon is a "G", but the Microsoft icon is so generic it could literally be any company. And then the Symantec Authenticator is randomly called "VIP Access", with zero indication it's by Symantec or that it's even an authenticator.
And because I only use these things once a month or so, I'm re-baffled by it every time.
I’m not sure what the three are, but I was able to use Authy for all of my TOTP codes before I moved them all to the iOS/macOS keychain which now has TOTP support combined with autofill into the TOTP field in Safari.
But in any case, what I wanted to let you know is that you can convert the Symantec VIP token into a standard TOTP token.
You can have your Steam guard in your 2FA app as long as it has support for it. I'm personally using Aegis and have managed to put the Steam TOTP there. [1]
There are other ways to do it that don't require using Python and the Steam API by using Steam's desktop application, but since this is HN I find this the most interesting.
Oh right, Duo. Those are apparently OATH HOTP codes with some propriety modifications[1]. I also have to use Duo for work but almost all of the time I acknowledge the push notification instead of use the code. Between Okta, Duo, Touch ID and a Yubikey it feels like I’m having to authenticate one way or another dozens of times a day, so I feel your pain there.
But outside of work, all my personal TOTP codes are consolidated.
I myself use Aegis for almost everything, but have to use Authy for SendGrid and Twilio (those and Authy are from the same company). Then I also need Duo for my company's SSO.
I really wish I could use Aegis for all of it, but I wouldn't want to use Authy for all of it.
You don't need both Google and Microsoft Authenticators though, both of them support TOTP. But, yeah, there are some places that require as separate app just for them, like Steam, eBay, Twitch and Blizzard, which is annoying.
Most frequently, yes! Sometimes the UI crosses the line from providing a suggestion to straight up bullshitting you, but most implementations of time-based 2FA are compatible with RFC 6238[1] (of which TFA is a good summary) and communicate the shared secret in a de facto standard URI format[2] inside a bog-standard QR code.
Although now that I'm researching it, it's even more convoluted. I'd installed the Symantec VIP Access authenticator app, for example, specifically because PayPal had said they required it (or the wording had led me to believe that -- they certainly didn't mention alternatives).
But now apparently it's the opposite -- as of this past June, PayPal has removed support for Symantec, and requires instead Google/Microsoft/Authy/etc.:
Never interacted with Symantec’s system and thought it was one of the rare non-standard exceptions, but apparently it’s just normal TOTP with extra funky lock-in at the enrolment stage[1,2].
Yes, it's usually just a suggestion. Most sites will work with any standard TOTP app (MS Authenticator, Google Authenticator, AndOTP, Authy, etc). I have all of them in AndOTP (apart from the ones I mentioned above).
Bitwarden can generate TOTPs that get copied to your clipboard after filling the username and password box for a website. Usually all that's required is an extra ctrl-v and enter.
But honestly: If the "remember this session" button is checked as it often is for apps and sites, you should only have to do it every once in a while. Or, if the site is a bit more clever, you may only have to 2FA on sensitive screens, such as "edit personal data" or "make purchase" or "transfer money".
The nice thing about "non-push" TOTP is that it does not require any external service. A site could generate its own TOTP keys, show you a QR code and let you use any app (Authy, 2FAone, Google Authenticator, etc) to manage those codes. And your phone can be offline and still work with it, and you can back up your own 2FA keys.
"Push" based 2FA requires a service, typically paid, like Okta or RSA.
Every time you change device or browser, for many services when you change your IP country, and many services limit the amount of remembered device sessions meaning you basically have to do it every day. Multiply by the number of services that force 2FA. Pray your VPN behavior or travel did not get you some hidden red flag.
Have your password manager take care of TOTPs. Copy and paste. You're using a password manager with randomized passwords for your sites, services, and apps, right?
And you could do it with pencil and paper if you wanted. If you were very quick at maths.
The point is that it places a requirement on the user and interrupts their workflow when they just want to Get Stuff Done. And if it stops working then the burden is on the user to make it work again.
That's true of any authentication mechanism. It works until it doesn't. If you wanted to work this into a traditional terminal workflow "generateToken my.host && ssh my.host"
TOPT is the least worst way of doing 2FA.
I wish I lived in a world where this sort of thing wasn't necessary, but if you have a service where there are accounts that are worth a lot of money in the real world, you need to have some kind of 2FA.