this post was submitted on 23 Feb 2024
56 points (98.3% liked)

Canada

9624 readers
1351 users here now

What's going on Canada?

Related Communities

🍁 Meta

🗺️ Provinces / Territories

🏙️ Cities / Local Communities

Sorted alphabetically by city name.

🏒 SportsHockey

Football (NFL): incomplete

Football (CFL): incomplete

Baseball

Basketball

Soccer

💻 Schools / Universities

Sorted by province, then by total full-time enrolment.

💵 Finance, Shopping, Sales

🗣️ Politics

🍁 Social / Culture

Rules

  1. Keep the original title when submitting an article. You can put your own commentary in the body of the post or in the comment section.

Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage: lemmy.ca

founded 4 years ago
MODERATORS
otter
mp3
otters_raft
56
CRA now allows 2FA apps (infosec.pub)
submitted 1 year ago by [email protected] to c/canada
26 comments fedilink hide all child comments
 

What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.

you are viewing a single comment's thread
view the rest of the comments
[–] nimnim 18 points 1 year ago (3 children)

This is a great feature. I just enabled it, and it works just fine. However, I was a bit confused when I didn't see any backup codes generated until I realized that the SMS/Call method is, in this case, the backup method. So, while it is more convenient to use an MFA app, I'm not sure about the security if the SMS method is still an option.

[–] [email protected] 12 points 1 year ago (2 children)

You can generate a code grid and remove SMS altogether.

[–] [email protected] 2 points 1 year ago

If I had the power to, I would've pinned this comment as it's helpful to those still using sms for backups👍

[–] nimnim 2 points 1 year ago

Thank you so much for sharing this valuable information! Your input is greatly appreciated.

[–] jadero 2 points 1 year ago* (last edited 1 year ago) (1 children)

Authentication is only ever as strong as it's weakest link. All the fancy passwords, MFA, passkeys or whatever mean nothing in the face of "I forgot my password" email resets and the like.

I know people who just hammer randomly on the keyboard whenever they get asked for a password, then use the "I forgot my password" system to get "authenticated," providing yet another set of random keystrokes as the new password.

And it's not horrible, I guess. They're using strong passwords. They're never reusing passwords anywhere, not even for successive logins at the same site. They have to be explicitly targeted by someone who is willing to target their email system.

This does nothing to secure against mass breaches, but neither does the strongest authentication system. But, like any of the strongest authentication systems, account takeover requires deliberate targetting.

[–] axby 3 points 1 year ago* (last edited 1 year ago) (1 children)

Yes but you’re free to use an email provider which also supports security keys, which gmail and proton mail* do. I understand that the CRA needs to accommodate the average person who doesn’t care about security, but I think everyone in this thread appreciates when they also cater to people who care deeply about security and are willing to use strong unique passwords in a password manager and security keys or at least TOTP.

* it seems like they require keeping TOTP enabled because their mobile apps don’t support security keys. Meh.

[–] axby 3 points 1 year ago

To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right

[–] ebits21 1 points 1 year ago

🤦🏻‍♂️