Its just convenience over security. Lot of things can be done but then the extra burden that companies have to go through. Think about that people don't use app based authentication because it's inconvenient even though it matters to them. How can you expect carriers to do it
they offer both. they simply require more secure authentication. something which doesn't require the app to know the username or password. it's that simple.
Well,it's not always trivial. I'm not even able to log in to anything important without multifactor authentication that is either a hardware OTP of some sort, or using a private key stored in my SIM-card that is accessed with a pin.
It's doable if you really want to, but it's much more of a hassle that just running a script. Definetly not doable at scale, for better or for worse.
There are easy trade-offs one can make between convenience and security. For example, identity verification on the phone with the last four digits of a credit card (Apple).
But then there are policies and technology that increase BOTH convenience and security. Say the difference between using SSH these days versus using, say, paper and an Enigma machine.
The inconvenience of Google Authenticator is minimal and the security provided is huge.
The real killer is the lack of an authenticator app. I'd be interested to know what other people use for that purpose if they're not carrying a mobile.
I disagree. Even if you use the same device to access a service, you still need the device to authenticate. It's authenticating by more than one factor. You need my password, plus my phone, plus possibly a way to access my phone (my PIN code or fingerprint). That's much better than just a password.
I mean you can do authentication without doing it per base station... the real reason we don’t have anything like this is because it’s a lot of work to make this work well worldwide and because a lot of governments are not interested in making spoofing base stations harder on themselves.
I wouldn't mind it if I had to have my phone to access the identity. It would be a simple matter of integration to use the phone to grant a temporary authorization to an unknown device.
You can do authentication without something that's tantamount to someone's government ID. I love when companies make me give them my phone number, and then they get hacked.
I don't understood this. I keep not understanding this.
What's my basic authentication method to a site or system I can write down, backup, export or memorize? What happens if I go naked to a friend and want to use their devices to access my systems? What happens if I lose one or more of my existing devices? What happens if I get locked out of one or more of my devices? Basically am I the only one who doesn't think phone is my life and I don't want my life to be over if I lose my phone?
I feel like I'm in a twilight zone of phone dependencies. Already so many systems refuse to let me in if I don't have my phone with me due to sms 2fa I didn't ask for, even though I have dozen other devices and valid credentials. Now we just want to stop pretending and just lock me in to phone forever? My phone goes with me everywhere I go and is super likely to get lose broken or stolen. I don't want it to be a dependency to my online access.
The point is lowering liability. By choosing to not use voice authentication (or whatever), it becomes easier to argue that fraud is your fault. Or if you did use it, the company 'is doing everything they can' and 'exceeding industry standards' so it isn't their fault, either. It also just makes them seem more secure to the uninitiated (the security-theater bit, yes).
Maybe one day someone will successfully argue that adding easily defeated checks lowers security, by adding friction for no reason or instilling false confidence in users at both ends.
reply