This is a great feature. I just enabled it, and it works just fine. However, I was a bit confused when I didn't see any backup codes generated until I realized that the SMS/Call method is, in this case, the backup method. So, while it is more convenient to use an MFA app, I'm not sure about the security if the SMS method is still an option.
Authentication is only ever as strong as it's weakest link. All the fancy passwords, MFA, passkeys or whatever mean nothing in the face of "I forgot my password" email resets and the like.
I know people who just hammer randomly on the keyboard whenever they get asked for a password, then use the "I forgot my password" system to get "authenticated," providing yet another set of random keystrokes as the new password.
And it's not horrible, I guess. They're using strong passwords. They're never reusing passwords anywhere, not even for successive logins at the same site. They have to be explicitly targeted by someone who is willing to target their email system.
This does nothing to secure against mass breaches, but neither does the strongest authentication system. But, like any of the strongest authentication systems, account takeover requires deliberate targetting.
Yes but you’re free to use an email provider which also supports security keys, which gmail and proton mail* do. I understand that the CRA needs to accommodate the average person who doesn’t care about security, but I think everyone in this thread appreciates when they also cater to people who care deeply about security and are willing to use strong unique passwords in a password manager and security keys or at least TOTP.
* it seems like they require keeping TOTP enabled because their mobile apps don’t support security keys. Meh.
To clarify on this: even the people who use gibberish as their password and don’t store it and rely on password resets via email are actually somewhat safe if their email is also highly safe. Maybe their password strategy for CRA implies they don’t take their email password security seriously either… but still, my point is just that “at least as secure as your email” can be an incredibly high bar if you do it right