alt Hacker NewsThis is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.
I really agree with it, but that’s probably their rationale.
Replies
The real problem is not having a (trusted) way of seeing what you are consenting to by entering a TOTP (which can be phished).
SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.
That same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.
Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.
I do the same, and it somewhat defeats the spirit of 2FA, but I still believe it's more secure. It's basically a second password where intercepting it in transit once isn't enough to be able to repeat the login in the future.
There are hardware TOTP tokens that don't allow export of the secret, that makes them something you have. For example:
My bank sends me 2FA codes in their app, which I then have to type into... their app. No kidding. Both the key and the validation in the same place, really ridiculous. Even something as crap as SMS 2FA would be better. TOTP or FIDO2 would be miles better.
Banks didn't support TOTP long before we were able to easily sync them across devices. It's likely more along the lines of banks generally have bad IT departments and outdated digital security policies.