Revert the removal of standard TOTP

For full transparency, I haven’t used the mobile authenticator, and I don’t plan to, even if I install the app later.

TOTP support was recently removed as I was unfortunately notified by email. This is extremely problematic:

  • We lose out on easy backups to avoid being locked out - “don’t lose it” is not a backup strategy
  • It’s harder to track one unique authenticator app per service you’re using, with all the baggage that comes with each of them, than it is to track one OTP app that manages all your OTPs and can be swapped out for another OTP app at will
  • We lose portability - oops, your device is not supported, now you aren’t allowed to use OTPs
  • Worse accessibility - I already understand how to use adlib authenticator and I find it easy to use; why do I have to switch?

and this is all assuming the app works, which the forum here doesn’t suggest. These problems will push more people to simply ignore having any authenticator, which is not a thing you want to do. It’s perfectly fine if you want to have the “bad authenticator for people who already have the mobile app” as an option, and it’s fine if that option literally uses standard TOTP as a backend (which it seems to), but it should not replace the “real authenticator for people who use the internet” option.

In summary: the recent change removing the ability to set up TOTP yourself is insecure, inaccessible, and bad practice. Revert it.

1 Like