What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.

  • rinze@infosec.pubOP
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    Wealthsimple and Questrade seem to support TOTP but I’m not sure if you can still bypass it with SMS. I don’t think so but I haven’t dug into it.

    Questrade allows TOTP, SMS and some other methods, but you can select which ones you want to enable. I have only TOTP and it works as expected.

    • axby
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Thanks, I suspected this (I only see “authenticator app” when I log in on a new device or periodically, but I wasn’t sure.

      Related: for finance related services like Questrade, I’ve stored my TOTP keys on a U2F key, Yubico in my case. Besides the hassle of managing physical keys, is there any drawback to this approach? I’m slightly worried I’ll lose all my keys in a house fire or something, but I assume there’s a recovery option.

      • rinze@infosec.pubOP
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        That I don’t know. I store the TOTP keys into an app on my phone an into a separated KeePass DB that’s different from my regular one. Two copies of that is good enough to let me sleep at night.