I just went round and round with my bank about needing my phone number so they can text me a TOTP. You know, for security. They just can't quite seem to wrap their head around how having the same device running their banking app that also receives the text is not secure when the device is no longer in your possession.
Doesn't the attacker still need to know the password to the banking account, or the master password to the password manager? That'd be the second factor.
Besides being able to unlock the phone in the first place obviously.
I only switched to a device with FaceID recently, so I haven't seen how often false positives are in the wild. I still have devices with ThumbID, and I can get into my tablet with rubber gloves without any issues. As far as just a password, if you're using a password manager also located on the phone... There's also people that just don't enable any of that kind of thing on their apps. So we're still fighting those fights. I'm the type that wishes every single app required authentication though.
Huh, TOTP and HOTP are pretty technical terms, and I generally don't hear them in places meant for general consumers to read (e.g. even Google Authenticator, which does TOTP and HOTP, doesn't say TOTP or HOTP). The general term, OTP is much more common, and is accurate for SMS.
Its called two step verification. Prevents someone from “guessing” the password but doesn’t stop someone who has physical access to the device with the password stored. Same as with e-mail or SMS codes, basically. I don’t think i recall any websites that detect i am using my phone and rely on a true “second factor” aside from enterprise applications where i got a hardware yubi key.
It is called 2 factor or multi-factor authentication. It should be something you know (password) and something you have (device). Storing totp with your password defeats the entire point of it.
