this post was submitted on 31 May 2026
59 points (89.3% liked)
Technology
85059 readers
2978 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Uhhh… how about NO??
In fact, as a casual security professional (it’s not a core part of my job, but I know a lot more than most ppl), I openly advocate making SMS and eMail illegal for transmitting one-time passcodes.
Why? Because both are critically insecure, cannot be adequately secured outside of laboratory or highly restrictive environments, and can be trivially hijacked.
The only one-time passcode that should be used are one-time password generators (TOTP) such as Google Authenticator or any other such method.
Yes, this requires a little more effort on the part of the site owner, but it’s worlds better than SMS or eMail, and far more user-friendly than forcing the user to open the company’s app just to receive the code (looking at you, Canadian banks and other businesses like Telus).