I tried to setup 2FA on my Xfinity account today, only to realize that I was being forced into installing an Xfinity app. If you know what 2FA is...you probably already have another authenticator app.
Why on earth would you want to install a 2FA app for each and every service you use??? Why not allow users to consolidate and use any 2FA app??? It really highlights xfinity's ignorance, as does your webchat bot.
It's actually more secure. If you're interested, you can read about it here:
Generally, an app/service will display a qr code or give you the corresponding secret key phrase, which you then plug into any app (or develop your own). You could then manage it all with 1 app.
I'd wager that Xfinity's app uses the same authentication mechanism. They should just display the stinking qr code. I'm not installing that app.
Appears the Xfinity Authentication App has a few more features included specific to Comcast/Xfinity accounts:
I have to agree that it is silly to have a "special" 2FA app just to access one vendor's online customer service account. The veteran 2FA app user won't use it, they have a soft 2FA token app from Google, Microsoft, Authy or LastPass already, Xfinity should support them. And it is disingenuous to allow the uninitiated to believe such a one off app is necessary, not to mention non-supportive of industry interoperability. It's energy that could have garnered them some respect, instead it is off-putting.
It's worse than just a different unique app. Their app supports standard 2FA QR codes which means they're 2FA implementation is probably backed by the same. So really all their doing is refusing to give us access to the code what would allow us to use any standard 2FA key provider. I'm sure it's all done in the name of gathering even more data on their users, as if they don't know enough about me already.
Yet another inconvenienced user here and I agree full heartedly with OP. This is brain dead.
Here's my dilemma:
I'm on the Apple Upgrade Plan and at least once a year, I restore the backup of my previous phone to my new phone. The Xfinity authenticator app does not offer a mechanism to backup the 2FA seed, and so every year, I'm compelled to go through the cumbersome process of reinstalling and reconfiguring the Xfinity Authenticator app. I have dozens of other 2FA seeds encrypted and securely backed up in iCloud with my generic authenticator app that are higher value than my Comcast account.
This is a major inconveneince but to make matters worse, Comcast still allows SMS as a backup 2FA mechanisms that cannot be removed. I work in infosec and this is not how to implement 2FA securely. In 2020, it's trivial for a motivated attacked to social engineer wireless carriers to port mobile number and defeat 2FA by retrieving the SMS code. This is so common that NIST issued a public guideline in June 2017, recommending POTS and SMS not be used for out of band, 2FA mechanisms: https://pages.nist.gov/800-63-3/sp800-63b.html
Comcast Product Team: Let us use generic 2FA apps. The insignificant number of customers using generic authenticator apps do not appreciate the value add and will not disrupt your metrics. Implementation and recurring cost (testing) wise, it's no extra work. You're already using an open protocol. Give us a two week sprint and reveal the seed in the authenticator app.
For those of you who can't wait for Comcast, install the app on a jailbroken iPhone and you can extract the seed using a debugger. The seed works with Authy.