this post was submitted on 23 Feb 2024
56 points (98.3% liked)
Canada
7203 readers
406 users here now
What's going on Canada?
Communities
🍁 Meta
🗺️ Provinces / Territories
- Alberta
- British Columbia
- Manitoba
- New Brunswick
- Newfoundland and Labrador
- Northwest Territories
- Nova Scotia
- Nunavut
- Ontario
- Prince Edward Island
- Quebec
- Saskatchewan
- Yukon
🏙️ Cities / Local Communities
- Calgary (AB)
- Edmonton (AB)
- Greater Sudbury (ON)
- Halifax (NS)
- Hamilton (ON)
- Kootenays (BC)
- London (ON)
- Mississauga (ON)
- Montreal (QC)
- Nanaimo (BC)
- Oceanside (BC)
- Ottawa (ON)
- Port Alberni (BC)
- Regina (SK)
- Saskatoon (SK)
- Thunder Bay (ON)
- Toronto (ON)
- Vancouver (BC)
- Vancouver Island (BC)
- Victoria (BC)
- Waterloo (ON)
- Winnipeg (MB)
🏒 Sports
Hockey
- List of All Teams: Post on /c/hockey
- General Community: /c/Hockey
- Calgary Flames
- Edmonton Oilers
- Montréal Canadiens
- Ottawa Senators
- Toronto Maple Leafs
- Vancouver Canucks
- Winnipeg Jets
Football (NFL)
- List of All Teams:
unknown
Football (CFL)
- List of All Teams:
unknown
Baseball
- List of All Teams:
unknown
- Toronto Blue Jays
Basketball
- List of All Teams:
unknown
- Toronto Raptors
Soccer
- List of All Teams:
unknown
- General Community: /c/CanadaSoccer
- Toronto FC
💻 Universities
💵 Finance / Shopping
- Personal Finance Canada
- BAPCSalesCanada
- Canadian Investor
- Buy Canadian
- Quebec Finance
- Churning Canada
🗣️ Politics
- Canada Politics
- General:
- By Province:
🍁 Social and Culture
Rules
Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage:
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is a great feature. I just enabled it, and it works just fine. However, I was a bit confused when I didn't see any backup codes generated until I realized that the SMS/Call method is, in this case, the backup method. So, while it is more convenient to use an MFA app, I'm not sure about the security if the SMS method is still an option.
Authentication is only ever as strong as it's weakest link. All the fancy passwords, MFA, passkeys or whatever mean nothing in the face of "I forgot my password" email resets and the like.
I know people who just hammer randomly on the keyboard whenever they get asked for a password, then use the "I forgot my password" system to get "authenticated," providing yet another set of random keystrokes as the new password.
And it's not horrible, I guess. They're using strong passwords. They're never reusing passwords anywhere, not even for successive logins at the same site. They have to be explicitly targeted by someone who is willing to target their email system.
This does nothing to secure against mass breaches, but neither does the strongest authentication system. But, like any of the strongest authentication systems, account takeover requires deliberate targetting.
Yes but you’re free to use an email provider which also supports security keys, which gmail and proton mail* do. I understand that the CRA needs to accommodate the average person who doesn’t care about security, but I think everyone in this thread appreciates when they also cater to people who care deeply about security and are willing to use strong unique passwords in a password manager and security keys or at least TOTP.
*
it seems like they require keeping TOTP enabled because their mobile apps don’t support security keys. Meh.To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right