Hacker News new | past | comments | ask | show | jobs | submit login

My wife worked for the government.

When they deployed wfh, they used mfa. They banned Google authenticator out of the view Google can't be trusted. But told people to search the app store for any other mfa app. They one my wife found makes you wait for an ad run before it displays the code. It sometimes crashes and is generally terrible.

The point being banning certain apps seems far more political than well thought out.




Sorry, their official MFA policy was "just go find a random one"? How would that even work? Do they have a contract with every MFA service?


> How would that even work?

TOTP is a standard (https://www.rfc-editor.org/rfc/rfc6238), so I don't see how that wouldn't work.


Let's just assume that not ALL government agencies employ rocket scientists.


It wouldn't work if the app implementing TOTP decided to share the seeds you stored in it.


Yes that was the official policy. I was in such disbelief I made her show me the official guide she was given. Of course im sure they had no contracts anywhere, it looked like someone simply said "google will sell your data" and someone senior bought it and banned one app.


I would presume a random TOTP app. Incredibly stupid policy nonetheless.


> Sorry, their official MFA policy was "just go find a random one"? How would that even work? Do they have a contract with every MFA service?

TOTP is a standard, so anyone can implement it.

https://www.rfc-editor.org/rfc/rfc6238


Authy is good, or freeotp if you want to go full FOSS.


Duo Mobile on iOS lets you save and restore your TOTP tokens across iPhone backups with a symmetric passphrase. It provides some peace of mind in the event you would lose your phone.


I find it very sad that the government isn't even capable of writing its own presumably TOTP authenticator app.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: