Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

He's arguing not just against SMS-2FA, but against 2FA itself, and his simple solution is to "just use a strong password".

The author completely misses the point about the value of 2FA itself. I agree SMS-2FA is not good, but that doesn't mean 2FA is worthless.



I guess he was trying to specify 2FA that's NOT u2f, or other very strong options. But yeah, in principal, he's really talking about SMS, TOTP, et all. Bit of a shame, because TOTP itself is far better than SMS. It's all a sliding scale of security vs convenience.


There are security dimensions on which TOTP is worse. It's plausible for the SMS code to contain enough information about the login attempt to make the user realize they're being phished.

"Are you trying to log in from Ukraine? If yes, the code is 123456."

"Bank tranfer of 10000 EUR to account XYZ: verification code 987654"

TOTP obviously can't do this.


Except it's not really a sliding scale with SMS being "easy" and U2F being "hard". U2F is SO much more convenient than either TOTP or SMS. SMS might be a little easier than TOTP, but with either one you still have to (1) find the phone, (2) unlock it, (3) hunt around for and open the app, (4) manually type the code in, often looking back and forth between the phone and webpage 2 or more times before you get it. Compare to just taping the U2F key with the side of your finger (assuming it's already plugged in, which is what I do). There's just no comparison in terms of UX between U2F and anything else I've ever seen.


Can you use the same USB key for every application you need to authenticate to?


Web sites can all just do WebAuthn. The browser will securely manage the relationship between each site and the USB key ensuring that sites can't lie to the key about who they are (which would enable phishing).

If you are happy to use this only as a second factor, the USB key can handle any number of sites without constraint. If you want "resident credentials" where the USB key can sign you in spontaneously (no need to even enter a username or email address) the key needs storage for each such credential, those on the market today hold only a relatively small number, fine for your bank but not for say Hacker News and other forum sites you might join dozens of.

For other application software it's trickier but possible, you can see that OpenSSH did this for example.


Yes

(If the service supports U2F)


Sort of. He discusses the benefits of phishing resistant approaches like u2f later in the article.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: