Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

I might be missing something, but what does that have to do with the efficacy of token-based 2FA?



Web forms allow social media sites to capture bare phone numbers and store them in other places than just for authentication services. The places they store these numbers are often exposed to the public and to partners for a fee, along with personal data, which regularly is connected to other personal data on each account user. 2FA does not keep your account secure, and is just a bogus ploy to get your phone number, by social and other platforms) if most of your personally identifiable information on a site stores can be scraped ALONG WITH YOUR PHONE NUMBER, as it was, from a social media site (Which is exactly what happened in the original article cited).


You are missing the point of the GP’s comment. Token based 2fa does not involve phone numbers.

Most people who talk about 2fa being good are talking about TOTP or security keys. Phone number based 2fa is awful for a variety of reasons.


Ever heard of YubiKey, Google Authenticator or Authy?


At the risk of sounding rude, I don’t think you understand how modern 2FA works. No phone number is involved.

Your parent comment is based on misinformation and is the top comment; please consider editing or deleting it.


You have not properly read my other comments within this post. That is arrogantly presumptive, and over valuing the ideal that downvotes should suppress freedom of opinion.


I have, actually - they don’t make any sense. What about TOTP are you opposed to? That’s modern 2FA, not something related to phones.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: