Hacker News new | ask | show | jobs
by orblivion 1504 days ago
Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link. If that's somehow not true, I haven't gotten around to figuring out why that is because I only have so much time for this shit.
2 comments
UncleMeat 1504 days ago
Security conscious? Or security expert?

SIM-swaps are easy but do not scale. This means that they don't actually affect a lot of people. The improvement in security posture from SMS 2FA to TOTP is actually fairly small, because both lose to phishing and phishing is orders of magnitude more common that SIM-swaps or malware that steals SMS codes.

As a solo recovery option, it is indeed a more meaningful risk. But we also observe that people just lose their accounts all the time if they don't have a phone-based recovery option so I do understand why the option is offered.

link
Daedren 1504 days ago
Google allows for various kinds of 2FA, not just SMS. You can use a hardware key or even Google apps installed on other trusted devices.
link
orblivion 1504 days ago
Great, can I use a hardware key (or authenticator app, in my case) if I get locked out of my account like the person who posted this question? That's my point.

To be clear, 2FA != account recovery.

link
Froedlich 1504 days ago
Not for all accounts. After several years, they started strongly recommending an SMS verification, then finally locked my account when I couldn't provide them one. [I have SMS turned off by my cellular provider] Every year or so I'll see if I can get back in. Sometimes I'm presented with a non-SMS option, but once I work through that, they go right back to insisting on SMS.

I only used that account for communicating with one friend, [our mail hosts were blocking each other in some kind of spam war tit-for-tat] now deceased, so it was no great loss to lose the account, but rather annoying that they pretend harvesting phone numbers is some type of "authentication."

link
hackmiester 1504 days ago
But if you don’t remove your phone number then the insecure option is still present.
link