The bugs, broken apps, and nightmare customer-service bots we can't escape, presented as a blessed and sacred addendum to Pope Leo XIV’s new encyclical on AI
Actually text me the one-time passcode, rather than saying you sent it to me while instead texting it to the molten core of the earth.
Uhhh… how about NO??
In fact, as a casual security professional (it’s not a core part of my job, but I know a lot more than most ppl), I openly advocate making SMS and eMail illegal for transmitting one-time passcodes.
Why? Because both are critically insecure, cannot be adequately secured outside of laboratory or highly restrictive environments, and can be trivially hijacked.
The only one-time passcode that should be used are one-time password generators (TOTP) such as Google Authenticator or any other such method.
Yes, this requires a little more effort on the part of the site owner, but it’s worlds better than SMS or eMail, and far more user-friendly than forcing the user to open the company’s app just to receive the code (looking at you, Canadian banks and other businesses like Telus).
Uhhh… how about NO??
In fact, as a casual security professional (it’s not a core part of my job, but I know a lot more than most ppl), I openly advocate making SMS and eMail illegal for transmitting one-time passcodes.
Why? Because both are critically insecure, cannot be adequately secured outside of laboratory or highly restrictive environments, and can be trivially hijacked.
The only one-time passcode that should be used are one-time password generators (TOTP) such as Google Authenticator or any other such method.
Yes, this requires a little more effort on the part of the site owner, but it’s worlds better than SMS or eMail, and far more user-friendly than forcing the user to open the company’s app just to receive the code (looking at you, Canadian banks and other businesses like Telus).