submitted 1 year ago by rinze@infosec.pub to c/canada@lemmy.ca

26 comments fedilink hide all child comments

What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.

you are viewing a single comment's thread
view the rest of the comments

[-] axby@lemmy.ca 1 points 1 year ago* (last edited 1 year ago)

It looks like you may be able to disable SMS 2FA entirely? It’s unclear to me (edit: if this is a viable option):

Can I stop getting Short Messaging Service (SMS) messages for CRA's Multi-factor authentication?

Yes. You can text "STOP" to 27223 or reply "STOP" to the message containing your one-time passcode to stop receiving SMS messages to that telephone number in the future. However, it is important to note that CRA's Multi-factor authentication (MFA) service is mandatory and a passcode is required to sign in to the CRA's sign-in services. Texting "STOP" will prevent your telephone from receiving an SMS message with your passcode in the future. Without the passcode, you will be unable to access the CRA sign-in services using this option and will need to choose an alternate MFA option to use. This option applies only to Canadian telephone numbers.

I’ll probably leave it enabled anyway just in case (given that I only log in to CRA once per year or so), but I applaud the potential of relying on TOTP only, and not allowing SMS 2FA as a “back door”.