alt Hacker NewsTOTP are okay for some things but often regulation means each code/challenge needs to be tied to a specific action. TOTP codes typically last for 30s and mulitple actions can happen within 30s, so it's not possible to use TOTP in many cases.
PUSH approval could be used instead but then you need to download an app for every service you use, which isn't very convenient.
PASSKEYS offer a solution which will work on both web and mobile and don't require you to download an app for every service. But it's a new concept that people need to learn so how fast they will be adopted is yet to be seen.
Replies
I have some rural Duo customers and we always end up having to dial up the timeouts because it can take longer than a minute to receive a push notification in some areas. One of them has told me that duo is the only 'notification thingy' that works because the other implementations won't wait long enough.
Beyond "just" being phishing resistant, for banking/payments, WebAuthN even has the opportunity of providing "what you see is what you sign":
The Secure Payment Confirmation [1] extension to WebAuthN supports using passkeys on third-party sites (think merchant checkouts) and including signed structured messages (think "confirm payment of <amount> at <merchant> on <today>").
It wouldn't be crazy to imagine authenticators with small OLED displays to provide an end-to-end secure channel for displaying that information, similarly to how cryptocurrency hardware wallets already do it.
Of course, this would require a certain popular hardware and software manufacturer with a competing payment solution to implement the extension...
My personal 2FA favorite is OTP + authenticator app. It behaves predictably and doesn’t have weird failure conditions.
SMS 2FA tied to your mobile number sucks if it doesn’t support Google Voice, especially when traveling internationally and your SIM card isn’t in your phone.
Email 2FA usually works, but I just find it annoying.
App-specific push notifications mostly work, but it’s hard to debug if you don’t get the notification. For example, I recently bought a new phone and all of my apps were reinstalled when I restored from a cloud backup. For some reason app notifications didn’t work until I uninstalled & reinstalled the apps. And reinstalling the apps was a bit confusing because some of the apps were not available in the app store based on my physical location in a different country at the time.
> TOTP codes typically last for 30s and mulitple actions can happen within 30s
The server just needs to remember which TOTP codes have been used and to reject after the first use.
The code is no longer sensitive after it has been used, so jam it in a database that can expire tuples after a few minutes or stick it in an login audit table if you have one.