> I still don't know why apps think a device I carry in the streets is safer than one I leave at home to do important transactions like moving money, for example. Where I live, there are a lot of cases of people being kidnapped and coerced to make payments (which are instant), yet no Banking app allows you to do anything without a phone.

Muggings and kidnappings, as bad as they are, can't really be done at scale.

That device a) has some kind of secure enclave, hopefully, and more importantly b) restricts your ability to run arbitrary code off the internet to the point that everyday users probably can't do it. I don't like it, but they do it because it's effective.

What would your employer say if you said “I don’t own a smartphone. What alternatives exist?”

My current employer has a little nub on my laptop that I touch, but my previous employer was big on making me check my smartphone.

I have at times carried a Firefox Phone and a Pinephone, and deeply enjoyed asking work or other people who insisted I needed to download an app to do (whatever) "Where I can get your app for my phone? No, it's not an iPhone. No, it's not an Android phone either."

(Lately I've been using "It's a work phone, I'm not able to install apps on it, you'll need to run your app past our corporate IT and Security team.")

If your work requires you to have a phone, they should provide it to you. Call it your authentication brick.

They'd give me a conpany smartphone.

> My current employer has a little nub on my laptop that I touch

This is for authentication ?

It’s called a yubikey. The slim version barely protrudes from the usb port.

Phone call, sms, email, physical fob, 2nd person.

Don't use apps. The only apps on my phone are for communication. Nothing else.

It's quite possible to live with websites.

How are you delineating websites and apps, and can you elaborate what exactly your hypothesis is here?

I presume they mean it's a website when you type it into an URL bar.

And that you don't ever add website bookmarks to the homescreen, because that makes them similar to apps.

I mean anything you have to "install" from an app store tied to a phone OS. Sometimes if there is no other option I install the app/complete the task and uninstall.

The app guys have normalized the idea that every "bright" idea they get about how to exploit my data or waste my attention, they have a right to push it out to my phone, if I have installed their app.

So the stupid apps keep updating with new shit everyday whether I need it or not.

> I still don't know why apps think a device I carry in the streets is safer [...]

Because MFA requirements have never been about security, only security theater. It's the modern version of the "you must change your password every 30 days" rule.

On the contrary, single-factor authentication is generally fine (MFA is still better, of course) if the single-factor is an authenticator application or, better yet, a U2F hardware key. If anything in modern web security is theater, it is the password (and SMS MFA but that's because SMS is a joke to takeover).

wild take here.

MFA is like infinitely more secure than your username/pw that Tim from accounting writes on his notes and reuses the same password everywhere.

How is that not common knowledge?

Wat? If my laptop gets infected and the bad actor tries to access my (insert account protected with MFA here), their ability to do harm is limited by spreading things across two devices.

I have always assumed that this was done to drive app usage. Companies hope that if you use an app regularly you'll keep it on the home screen of your phone, and it becomes a foothold into your most intimate device.

This might defeat the purpose of MFA but I use an authenticator like Ente that works on the desktop and syncs to and from your phone.

It does not defeat the purpose as your MFA code/prompt as you are still protected even if someone has your password. The only slightly lesser protection is that if someone gains local access to your machine/password manager then everything is compromised vs. having your codes on your phone, but this should be very, very far down the list of security concerns for the majority of people.

The most realistic security threat for OTP's is that they can be phished in a few ways which is the same problem if you're using MFA stored on your desktop or phone. Hence the preference for physical security keys / passkeys which are impossible to phish.

Thank you, I really appreciate this. I've been looking for something exactly like this for ages, whilst trying to toss my current solution.

It's a great app, open source as well and works everywhere, even on the web. I migrated all my MFA to Ente Auth.

Bitwarden has desktop apps. And Vaultwarden hosts your own instance. Also, Bitwarden has MFA. But yes I agree, some have a specific kind of MFA, like Google. I hate Google's MFA. You have to get up and get your phone to press something. I hate being forced to use the phone.

Most MFA solutions can use a FIDO token these days (unless the admins are masochists), which you could keep plugged into your device

Most banking apps here only allow their own app as a 2-factor authentication, not even TOTP is allowed. (I think they make it to increase user engagement.)

The worst one is Mercado Libre, which also requires you to use your phone to "scan" your face every time you log in with a new device. My friends were locked out due to having an allergy or growing a beard. Nowadays, I don't even bother with them... I just shop elsewhere.

Funny how apple purposely breaks this for convenience. Some merchant or bank will try and implement 2 factor from a code they text you. Apple scans your messages in the background and prompts you to fill the code from one click all from this one “factor” thanks to the imessage/sms integration.

Even without Apple’s help, anytime I’m on my phone I get the 2FA code on the same device as I’m logging in on. It defeats the point. But also, I shouldn’t be required to have 2 devices just to login to a website.

I’ll be traveling later this year and I’m debating buying an iPad mini so I have a 2nd authenticated device that can do 2FA. I broke a phone on a trip once and happened to have an iPad with me. It was the only reason I was able to get my replacement phone setup. I’m not sure what I would have done without it. Print and carry around account recovery details that should likely be kept in a safe? That doesn’t sound great.

Monzo (UK) lets you set a limit on withdrawals when you are away from home.

Does it also let you unset the limit?

When you are at home. Also you can print a QR code which you can use when away from home.

That reminds me of the effectiveness of texting codes as MFA, when the password can also be reset by texting a code...

Those services just have SFA (Single Factor Authentication): the cell phone number (which can be stolen remotely by social engineering).

Pretty much every password managers can store MFA (Bitwarden, 1password). You only need smartphone to log in to the password manager only once a day.

Apple keychain lets you store TOTP secrets, and Google Auth will let you export the seeds.

That turns the laptop + fingerprint into your extra factors.