2FA / U2F

• 

  burtek · Member · Mar 15, 2022 at 7:10 pm

  • Copy link
  • Add topic to favorites

  Why is 2FA via SMS/TOTP required to be able to setup U2F? SMS/TOTP is less secure and this really doesn’t make any sense to require less secure solution to enable more secure one. Recovery codes hsould be enough of a backup

  WP.com: Yes
  Correct account: Yes

  The blog I need help with is: (visible only to moderators and staff)

• 

  supernovia · Staff · Mar 15, 2022 at 9:35 pm

  • Copy link

  Hi @burtek, our support forums aren’t really meant for debating technical decisions. Most of those discussions can be found our Github if you’re interested in reading or participating in those.

  From a support standpoint, though, we can file an enhancement request for you if you’d like. If I understand correctly, you’d like to have an option to generate backup codes without requiring choosing any other mechanism for delivering new codes, such as a text or app. Is that correct? If you can share a source you’d like to cite for SMS/TOTP is less secure that would be helpful, too.

• 

  burtek · Member · Mar 15, 2022 at 9:42 pm

  • Copy link

  Hi,

  Didn’t know I’d post this on a forum after clicking ‘contact support’ 🤷‍♂️

  I’d love to be able to setup hardware U2F with backup codes without having to setup SMS/TOTP 2FA.

  SMS is very unsecure option with SIM swap attacks being still an issue in today’s world as well as due to it’s insecure nature (see https://www.howtogeek.com/709373/why-sms-text-messages-arent-private-or-secure/)

  As for OTP (TOTP/HOTP), devices used for generating those codes (smartphones or computers) can be hacked and the secrets can be stolen. That’s not the case with U2F hardware keys, which can’t be remotely compromised and have secret stolen, even when used with infected computer/smartphone

• 

  supernovia · Staff · Mar 15, 2022 at 9:48 pm

  • Copy link

  It’ll just depend on the plan you’re using. The contact form should say whether you’re posting to the forums, though:
  https://wordpress.com/support/help-support-options/

  Whether you’re posting here or in a support chat, we won’t get into deep debates, but we can certainly pass along feedback.

  So this would be a request to allow U2F hardware keys without requiring a phone or code app, right?

• 

  burtek · Member · Mar 15, 2022 at 10:00 pm

  • Copy link

  Correct :)

• 

  staff-blorbo · Staff · Mar 15, 2022 at 10:31 pm

  • Copy link

  It looks like we already have an open issue for this, so I have revived it: https://github.com/Automattic/wp-calypso/issues/21133

  Thanks!

• 

  burtek · Member · Mar 16, 2022 at 8:22 pm

  • Copy link

  @supernovia and one more argument. OTP/SMS codes can be manually, unwillingly typed into phishing website, while U2F key won’t work with phishing website