this post was submitted on 23 Feb 2024
56 points (98.3% liked)

Canada

7203 readers
398 users here now

What's going on Canada?



Communities


🍁 Meta


🗺️ Provinces / Territories


🏙️ Cities / Local Communities


🏒 SportsHockey

Football (NFL)

  • List of All Teams: unknown

Football (CFL)

  • List of All Teams: unknown

Baseball

Basketball

Soccer


💻 Universities


💵 Finance / Shopping


🗣️ Politics


🍁 Social and Culture


Rules

Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage:

https://lemmy.ca


founded 3 years ago
MODERATORS
 

What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.

you are viewing a single comment's thread
view the rest of the comments
[–] nimnim@lemmy.ca 18 points 8 months ago (3 children)

This is a great feature. I just enabled it, and it works just fine. However, I was a bit confused when I didn't see any backup codes generated until I realized that the SMS/Call method is, in this case, the backup method. So, while it is more convenient to use an MFA app, I'm not sure about the security if the SMS method is still an option.

[–] rinze@infosec.pub 12 points 8 months ago (2 children)

You can generate a code grid and remove SMS altogether.

[–] nimnim@lemmy.ca 2 points 8 months ago

Thank you so much for sharing this valuable information! Your input is greatly appreciated.

If I had the power to, I would've pinned this comment as it's helpful to those still using sms for backups👍

[–] jadero@lemmy.ca 2 points 8 months ago* (last edited 8 months ago) (1 children)

Authentication is only ever as strong as it's weakest link. All the fancy passwords, MFA, passkeys or whatever mean nothing in the face of "I forgot my password" email resets and the like.

I know people who just hammer randomly on the keyboard whenever they get asked for a password, then use the "I forgot my password" system to get "authenticated," providing yet another set of random keystrokes as the new password.

And it's not horrible, I guess. They're using strong passwords. They're never reusing passwords anywhere, not even for successive logins at the same site. They have to be explicitly targeted by someone who is willing to target their email system.

This does nothing to secure against mass breaches, but neither does the strongest authentication system. But, like any of the strongest authentication systems, account takeover requires deliberate targetting.

[–] axby@lemmy.ca 3 points 8 months ago* (last edited 8 months ago) (1 children)

Yes but you’re free to use an email provider which also supports security keys, which gmail and proton mail* do. I understand that the CRA needs to accommodate the average person who doesn’t care about security, but I think everyone in this thread appreciates when they also cater to people who care deeply about security and are willing to use strong unique passwords in a password manager and security keys or at least TOTP.

* it seems like they require keeping TOTP enabled because their mobile apps don’t support security keys. Meh.

[–] axby@lemmy.ca 3 points 8 months ago

To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right

[–] ebits21@lemmy.ca 1 points 8 months ago

🤦🏻‍♂️