What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.
What’s going on Canada?
Hockey
Football (NFL)
unknown
Football (CFL)
unknown
Baseball
unknown
Basketball
unknown
Soccer
unknown
Reminder that the rules for lemmy.ca also apply here. See the sidebar on the homepage:
To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right
Makes me glad I live in BC, and have had an equivalent to this for years for signing into CRA stuff.
This is a great feature. I just enabled it, and it works just fine. However, I was a bit confused when I didn’t see any backup codes generated until I realized that the SMS/Call method is, in this case, the backup method. So, while it is more convenient to use an MFA app, I’m not sure about the security if the SMS method is still an option.
You can generate a code grid and remove SMS altogether.
If I had the power to, I would’ve pinned this comment as it’s helpful to those still using sms for backups👍
Thank you so much for sharing this valuable information! Your input is greatly appreciated.
Authentication is only ever as strong as it’s weakest link. All the fancy passwords, MFA, passkeys or whatever mean nothing in the face of “I forgot my password” email resets and the like.
I know people who just hammer randomly on the keyboard whenever they get asked for a password, then use the “I forgot my password” system to get “authenticated,” providing yet another set of random keystrokes as the new password.
And it’s not horrible, I guess. They’re using strong passwords. They’re never reusing passwords anywhere, not even for successive logins at the same site. They have to be explicitly targeted by someone who is willing to target their email system.
This does nothing to secure against mass breaches, but neither does the strongest authentication system. But, like any of the strongest authentication systems, account takeover requires deliberate targetting.
Yes but you’re free to use an email provider which also supports security keys, which gmail and proton mail* do. I understand that the CRA needs to accommodate the average person who doesn’t care about security, but I think everyone in this thread appreciates when they also cater to people who care deeply about security and are willing to use strong unique passwords in a password manager and security keys or at least TOTP.
🤦🏻♂️
That’s great news! I’ll have to make that change next time I login.
Would it be too much to ask for security keys next?
This may sound like a wild fantasy to some, but the US IRS seems to have some partnership with ID.me which supports security keys. But I’m impressed that the CRA supports TOTP before major banks so maybe this could happen.
Granted they also have separate logins for state income tax and California is… well let me just say that I’m grateful that the CRA doesn’t force you to reset your password every 4ish months. (California state income tax (FTB?) does).
Not OP but I wanted to read more (edit: about CRA’s approach to TOTP, before getting the chance to try it myself), I searched and found this: https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/multi-factor-authentication-access-cra-login-services.html#toc3
Edit: This is awesome, I’m so glad I can switch away from SMS 2FA on yet another service (and such an important one). But I am curious about a few things, see below.
Some thoughts:
why is it 30 seconds instead of 60 seconds? I’m pretty sure every other TOTP I’ve seen is 60 seconds. What is the benefit of this? Someone has 30 fewer seconds to read the code over your shoulder and log in on their device?Anyway, sorry for the negativity. This is a great step and I shouldn’t focus on negative things. I just hate how accounts I don’t care much about like Facebook (and formerly Runescape) accounts seem to be more secure from malicious logins than my bank and possibly CRA accounts.
Also big pro is that they allow third party TOTP apps instead of making their own like TD and even Steam (bundling it into their main app).
It looks like you may be able to disable SMS 2FA entirely? It’s unclear to me (edit: if this is a viable option):
I’ll probably leave it enabled anyway just in case (given that I only log in to CRA once per year or so), but I applaud the potential of relying on TOTP only, and not allowing SMS 2FA as a “back door”.
I also use TD. That they still allow only SMS for 2FA should be a crime.
Unfortunately I think this is the norm with big banks in Canada, and it is similar to a credit union in the US from when I briefly lived there. Security seems to be a second priority to people losing access (presumably only briefly, since they have brick and mortar locations everywhere).
Wealthsimple and Questrade seem to support TOTP but I’m not sure if you can still bypass it with SMS. I don’t think so but I haven’t dug into it.
I’ve used CIBC before and they also seem to require keeping SMS 2FA enabled. Also they send me fraud alerts over SMS, “respond Y to authorize this suspicious transaction”, and I’m dreading the day where I have to enable roaming while travelling just to send a text. They send push notifications through the app to login on a new device though, so maybe in 10 years they’ll do it for transaction approval too.
Also aside about TD: is there really no way to download a CSV file of all your transactions? My partner uses them and I think we were limited to 18 months, and may have even had to download each much separately (luckily I can use use a program like
cat
to workaround this, but that seems like a pain for most people). CIBC has irritated me in a lot of ways but I think I can download transactions from back to 2012 when I first opened my credit card, maybe earlier.Do you or anyone know about other big banks? My partner and I are looking into a joint account and I want to be able to download all transactions to CSV. Ideally we could get TOTP only (no SMS 2FA) but I’m not counting on it.
Over the years, I’ve been with all the big Canadian banks and a couple of different credit union networks. They’re all trash, in my opinion. I’ve sent security notices to all of them and never had a response, nor any evidence that they addressed the problems. TD just happens to be the place we landed after giving up on everyone else.
As for transaction downloads, I couldn’t tell you. I gave up on ever having access to my data, so I just record it manually.
Security notice examples:
TD was running their SSL/TLS in a way that made them vulnerable to downgrade attacks.
A credit union finally upgraded their login page to allow a real password instead of just a 6-digit PIN. It took repeated complaints and some customer lobbying to get that, but the new page also blocked access to pasting and autofill, negating the utility of a password manager.
Ah, I hadn’t heard of the SSL issue, thanks for sharing!
I’ve noticed that Tangerine only allows for a 6 digit pin, but I think they might also allow for a security question and SMS 2FA? I started signing up with them and gave up when they required a Canadian cell number (I hadn’t yet switched due to high costs, but recently they’ve become surprisingly reasonable—ignoring roaming) and I saw the 6 digit pin password requirement.
I think it was also BMO that a friend told me required a maximum 8 character password until very recently?
Anyway overall, thanks for reassuring my suspicion: I should just pick one of the banks and not let “perfect” (or even “decent”) be the enemy of “almost adequate but not great”.
Also, for what it’s worth, TD is not just the only bank I know of, but the only website I know of that allows for a user-generated username to be used for login. My TD username was generated by the password generator of my password manager :)
So they don’t get it all wrong.
Questrade allows TOTP, SMS and some other methods, but you can select which ones you want to enable. I have only TOTP and it works as expected.
Thanks, I suspected this (I only see “authenticator app” when I log in on a new device or periodically, but I wasn’t sure.
Related: for finance related services like Questrade, I’ve stored my TOTP keys on a U2F key, Yubico in my case. Besides the hassle of managing physical keys, is there any drawback to this approach? I’m slightly worried I’ll lose all my keys in a house fire or something, but I assume there’s a recovery option.
That I don’t know. I store the TOTP keys into an app on my phone an into a separated KeePass DB that’s different from my regular one. Two copies of that is good enough to let me sleep at night.
30 seconds is the default for TOTP implementations.
Yes, you can stop getting SMS messages.
edit: formatting
Thanks, I edited my comment. No idea how I missed that it was 30 seconds for all this time. It looks like my own TOTP codes are even 30 seconds so I don’t know what I was thinking.
Praise the Lord Jesus Christ our Saviour! It’s about damn time! 😂