>You'll need to implement [...] , processes for people losing their second factor due to
You're exactly right! The pure TOTP algorithm is the easy part. The underestimated part is the extra overhead of human customer support of users that messed up 2FA TOTP.
Title of blog post asks: >So what's your excuse?
One excuse is the issue outside of 2FA algorithm: lost 2FA credentials has more complicated recovery than 1FA. Many websites don't have an established procedure to deal with 2FA customer support.
Whether the 2fA user uses a smartphone, or Yubikey hardware, or software like WinAuth, it's not the simple process like 1FA of "just let customers self-service their own password reset by emailing a temp password to the email address we have in our records".
Case in point is me. Back in 2020, my web hosting service forced everyone (admins) to 2-factor TOTP and I kept putting it off because I was fine with just using a simple 1-factor password to manage my accounts. But then the day of reckoning came for 2-factor and it happened on a day where I was juggling a lot of problems and was in a hurry to login to my admin control panel to fix a configuration issue.
I didn't want to use my phone number for 2-factor because I didn't want the hoster to have it (prevent spam) so I downloaded "WinAuth.exe" and did whatever extra steps I needed to log in. But because I was in a hurry and didn't take meticulous notes and screenshots of what I did to enable 2FA, I now have no idea how to log back into my email host admin panel with a "verification code". I guess they gave me a "secret" for WinAuth to generate TOTP but I don't remember if I copy-pasted it somewhere or saved it to a file I can't find.
Either way, I'm now a customer support ticket because I'm locked out of my account. I was logging in successfully for 15 years with 1-factor before 2-factor came along and complicated the password situation.
Yes, it was my fault that I lost my TOTP procedures but that's not the point. The issue is that 2FA helps improve security but it also adds underestimated extra customer support issues and small websites can't deal with this extra workload. Just copying some trivial algorithm for TOTP doesn't solve that.
So, yes, I suppose a good totp article would cover the user experience as well. But just because some places implement it poorly does not mean it is a bad idea.
You're exactly right! The pure TOTP algorithm is the easy part. The underestimated part is the extra overhead of human customer support of users that messed up 2FA TOTP.
Title of blog post asks: >So what's your excuse?
One excuse is the issue outside of 2FA algorithm: lost 2FA credentials has more complicated recovery than 1FA. Many websites don't have an established procedure to deal with 2FA customer support.
Whether the 2fA user uses a smartphone, or Yubikey hardware, or software like WinAuth, it's not the simple process like 1FA of "just let customers self-service their own password reset by emailing a temp password to the email address we have in our records".
Case in point is me. Back in 2020, my web hosting service forced everyone (admins) to 2-factor TOTP and I kept putting it off because I was fine with just using a simple 1-factor password to manage my accounts. But then the day of reckoning came for 2-factor and it happened on a day where I was juggling a lot of problems and was in a hurry to login to my admin control panel to fix a configuration issue.
I didn't want to use my phone number for 2-factor because I didn't want the hoster to have it (prevent spam) so I downloaded "WinAuth.exe" and did whatever extra steps I needed to log in. But because I was in a hurry and didn't take meticulous notes and screenshots of what I did to enable 2FA, I now have no idea how to log back into my email host admin panel with a "verification code". I guess they gave me a "secret" for WinAuth to generate TOTP but I don't remember if I copy-pasted it somewhere or saved it to a file I can't find.
Either way, I'm now a customer support ticket because I'm locked out of my account. I was logging in successfully for 15 years with 1-factor before 2-factor came along and complicated the password situation.
Yes, it was my fault that I lost my TOTP procedures but that's not the point. The issue is that 2FA helps improve security but it also adds underestimated extra customer support issues and small websites can't deal with this extra workload. Just copying some trivial algorithm for TOTP doesn't solve that.