Hacker News new | ask | show | jobs
by im3w1l 1512 days ago
> That's some artificial limitation made to force you into adding phone number to your account.

Agreed

> You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

The amount of people getting locked out of their account because they lost the phone with the auth app would be unacceptably large, is my guess. Like people lose their phones all the time. Simjackings are rare.
1 comments
Szpadel 1512 days ago
not only lost phone, but damaged phone is enough, as you can easily swap sim card but authenticator need to be set up again. BUT there are also one time recovery codes, they could add you option to use those to recover after clicking through few screens of warnings to make sure that you know what consequences does it have
link
eternityforest 1512 days ago
That's one reason I definitely prefer SMS auth to any other method at the moment.

What if your phone is damaged while traveling and you are away from where you stored your recovery keys?

link
rtsil 1512 days ago
Whenever I add a new 2FA token, I always add it to my phone and a TOTP app (Authy) on my computers. Same thing for recovery keys.
link
lxgr 1512 days ago
You can always bring a paper recovery code or FIDO authenticator (both of which are safe against SIM swapping attacks).
link
FrenchDevRemote 1512 days ago
we've been told for decades to "not write passwords on postits" and we're really back to square one...
link
lxgr 1512 days ago
It's not a password, it is a secondary, single-use recovery second factor.

Carrying that around in a wallet doesn't make you any more vulnerable to physical attackers than carrying your Yubikey on a keyring, and it's much more secure against remote attacks than SMS-2FA (where you can fall victim to SIM swapping, number porting attacks etc).

link
charcircuit 1512 days ago
ideally the paper would be in a safety deposit box / safe and not stuck to your monitor.
link
FrenchDevRemote 1512 days ago
If it fits your need to have it a fixed location, then yes.

But he talked about traveling.

IDK about you but I don't travel with a safe in my backpack

link