Can we get a TOTP 2FA login for the website?

Scary_Guy
Scary_Guy ✭✭
First Comment 5 Insightfuls 5 Likes First Anniversary
edited February 2022 in Community Ideas & Feedback

As this is a web store that does financial transactions I'm pretty big on security. It's fun to login and see my entire transaction history, profile, etc... but it may not be so fun of someone else got a hold of that information or started ordering things I don't want for whatever reason.

For that reason I'd like to see a 2FA (two factor authentication) implemented. I'm not talking about e-mail confirmation or a text message, because if they have your email too then that's no good and sim cloning exists for phone numbers. I mean they do help, but they're not a complete solution and there are numerous examples of things secured with those getting hacked by bad actors.

TOTP ( https://en.wikipedia.org/wiki/Time-based_one-time_password ) is an actual good solution. You can use it on the phone or on the same system lacked with a password manager (such as Bitwarden or Keepass) and have it bring up the code, then enter in that after you put in the password. It doesn't need to be mandatory to use it but for those who have an increased threat model like accessing your site from a work PC or who live with roommates or whatever, I think it would enhance things.

While I think that a dark mode (as mentioned in my other post) would be easier to implement, I think TOTP (or any 2FA) is more necessary and you should seriously look into this. Especially when many of your shoppers are probably security professionals themselves :P

Best Answer

  • Ian
    Ian admin
    5 Insightfuls 5 Likes First Anniversary 5 LOLs
    Answer ✓

    Greetings. I'll share your suggestion with our web team as they would have to look into this and see if it can be implemented on our site. Definitely a great suggestion!

Answers

  • Scary_Guy
    Scary_Guy ✭✭
    First Comment 5 Insightfuls 5 Likes First Anniversary
    edited December 2022

    So, I see there is now an OTP option, but you don't need the password so it is not 2FA. I just logged in via email, which means anyone that has access to my email (which is also my username BTW) can now log into my account.

    That presents a security hole you can drive a truck through. I mean my email is secured but not everyone is technically inclined. If they save their email receipts and someone gets in, they can easily assume they have a MicroCenter account and if they try to log in... "Oh, do you want to login with OTP and not use your password?"

    I also just linked it to my phone, so hopefully I can't use that for OTP. Sim cloning is still a thing last I checked. I'll test to see if I can do it with that after this post. If I can I'll unlink my number. EDIT: I just tried it and I can login with my number. I cannot unlink my number from my account either, I can only switch it to a new number.

    Oh, additionally when logging out I got a 404 error. https://www.microcenter.com/site/support/404.aspx?aspxerrorpath=/logout.aspx

    I would still also like a TOTP 2FA option for login as well. The others would be fine if they still required a password.

  • Hey there, sorry for the delay in reply. I know our web team is currently reconfiguring features and the layout of our website so it is possible these features will be tweaked and implemented in the near future. I will be glad to pass along your feedback about the updated login options.

  • You know @Ian, I was thinking. If there were a way to disable one-time sign in (say a high security option) I would feel so much better than I do right now.

We love seeing what our customers build

Submit photos and a description of your PC to our build showcase

Submit Now
Looking for a little inspiration?

See other custom PC builds and get some ideas for what can be done

View Build Showcase

SAME DAY CUSTOM BUILD SERVICE

If You Can Dream it, We Can Build it.

Services starting at $149.99