22Nis
If I’m rolling out MFA to users, should I provide TOTP, SMS or both?
My site's users currently do not have any MFA options, but we're planning to release this feature in the near future. We've already built support for TOTP and have it working internally, but some on my team think that it won't be very user friendly (many of our users are very non-technical) and are advocating to use SMS as another form to authenticate. I've heard that SMS is vulnerable to SIM swapping attacks and isn't recommended, but those who advocate say that SMS is better than nothing. My main question is if we should allow for TOTP, SMS, or both? I’m afraid that if we release MFA with 2 options: TOTP and SMS, then most users will choose SMS over TOTP, and we’ll be in a bad spot long term.
