Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sure, by all means, I am happy about companies offering SMS 2FA as an option (as long as they don't block VoIP, that is).

What is annoying is making it the only option, or almost as bad, a mandatory recovery option bypassing all other factors.



I think even Google is highly suspect of allowing a bazillion fallbacks to different MFA options.

What’s the alternative, if you don’t want people to get completely locked out when they fuck up?


Agreed.

If you use a password manager to generate a high-entropy password, come up with similarly-secure answers to the “security questions”, and make sure your email is also secure, then SMS 2FA is a significant downgrade to your overall security.


Note that using SMS-OTP as a second factor besides the password/security questions, 2FA is never a downgrade, but using SMS-OTP as a single recovery factor (for a forgotten password) definitely is. Only the latter is a problem.


It’s still a downgrade because it’s an avenue for social engineering the customer service/support reps




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: