In case you refer to incognito/private windows: that's completely useless. All you can hope to get from it is automatic deletion of cookies. Google got a huge fine for tracking everyone in private mode [0] and you can be certain everyone else who didn't yet get dragged to court is still doing it.
> Well, you if want to both refuse that a site reliably identify you and have a flawless process for identifying you, you'll have a hard time.
and yet the digital certificate the government issues me means they can flawlessly identify me, when i choose for them to be able to identify me, rather than by them permanently tracking my machine.
Explicitly allowlisting a particular install of a particular browser isn’t a strong choice when we already have PKI.
Literally every time I pay for something via PayPal on my computer, I need to pull out my phone, find the authenticator app, open it, scroll to PayPal, tap it, see if there's enough time for this code or if I should wait for the next one, type the 6 digits into the site...
I mean it takes half a minute, and this easily gets repeated several times a day if you engage in a lot of transaction-type things. And it's no faster if it's by SMS or by e-mail because I'm still spending 15 seconds waiting for the message, and then opening it, typing, then going back to delete the message so it doesn't clutter my inbox -- half a minute total again.
Not to disagree with the cumbersome process - just want to point out that TOTP codes are valid for 30 seconds after the "expire" (60 seconds total). So as long as you are able to remember / copy the digits, there is no need to wait for the next code even if you don't have enough time to type it in. It will still work.
Tangentially, I really wish authenticator apps continued to show the previous code for 30 seconds so I can continue to refer to it for apps that don't allow copy and paste.
TOTP codes are actually valid for 90 seconds, 30 seconds either side of when it’s supposed to be displayed (assuming the display device’s clock is accurate to the second), to allow for up to 30 seconds clock skew on either end, in either direction.
I definitely had no idea! Thanks for that knowledge.
I mean there's never been any UX indication at all that that would be the case. I like your idea of showing the previous code -- that would make it very clear.
To be fair, the reason for this is to account for clock desync between systems, so it wouldn't be correct to say it is still valid for 30 seconds where it might not be in reality. Knowing what this actually means requires understanding the implementation of TOTP, so that you are not surprised in situations where it does fail. The existing authenticator app UX is likely correct for the average user.
> see if there's enough time for this code or if I should wait for the next one, type the 6 digits into the site...
In my experience on most services (not sure about paypal specifically) there's a grace period where a code that just 'expired' is still valid for another ~10-30 seconds? So... at least you can skip that part.
How many computers do you use normally? How hard would it be to link them to your accounts?