Question about Square Enix security token

[Canadane]

It's no worse than half of the other software security tokens out there, but neither is it any better.

That said, I'm very tired of companies making their own variant two-factor code; I would vastly prefer they used the standard TOTP (RFC 6238) or HOTP (RFC 4226) authentication. That way you could use anything that supported those standards. Be it things like Token2 hardware tokens, or Google's Authenticator software, or ecoystems like Authy or 1Password. Then I could stop having like five different custom authenticators installed on my phone for different systems.

(Especially since I cannot see any appreciable security benefit to SquareEnix's OTP implementation, versus TOTP or HOTP.)

I mean, SE has had theirs out for 11 years now.
Why change what works? Seems to be SE's policy on many things.

[Packetdancer]

I mean, SE has had theirs out for 11 years now.
Why change what works? Seems to be SE's policy on many things.

Because it's one less thing to maintain; if you maintain a custom-built software token, then as the mobile operating systems update, sooner or later you need to redo the app to update it for a newer operating system. Things that were written for iOS 2.0 are very different than things written for iOS 13, just as things written for Android 2.4 and Android 10.0 are extremely different; in neither case would the original code compile for a newer system.

If you rely on standards-driven authenticators, then you don't have to maintain anything; you just tell people to use Google Authenticator, or Authy, or 1Password, or anything else that supports TOTP/HOTP.

As to why they don't, when it would mean less long-term work?

¯\_(ツ)_/¯

[linay]

Because it's one less thing to maintain; if you maintain a custom-built software token, then as the mobile operating systems update, sooner or later you need to redo the app to update it for a newer operating system. Things that were written for iOS 2.0 are very different than things written for iOS 13, just as things written for Android 2.4 and Android 10.0 are extremely different; in neither case would the original code compile for a newer system.

If you rely on standards-driven authenticators, then you don't have to maintain anything; you just tell people to use Google Authenticator, or Authy, or 1Password, or anything else that supports TOTP/HOTP.

As to why they don't, when it would mean less long-term work?

¯\_(ツ)_/¯

I wish the standard works like FFXIV's app. I find it nicer to use than Google authenticator (or equivalent).