Hacker News new | ask | show | jobs
by ary 1438 days ago
This is clearly not true. Having a second factor helps maintain security in the situation where your password is compromised (phishing is just one scenario). It isn't perfect, and can itself be defeated. However, compromising an account with 2FA is demonstrably more difficult than one without.
2 comments
naniwaduni 1438 days ago
While there are scenarios where 2FA can maintain security where a password is compromised, it's absolutely true that for a large swath of practical threat models, almost the entire benefit of 2FA comes in the form of assigning the shared secret instead of letting the user pick a weak and/or widely-reused password and the "having a second factor" bit doesn't really factor into the picture in any meaningful way.
link
staticassertion 1438 days ago
These weaknesses are implementation specific. FIDO2/U2F is unphishable, requires proof of presence, and is a significant security win over a strong password.
link
Wowfunhappy 1438 days ago
Is PyPI requiring maintainers to use a hardware key? If not, I don’t understand how this policy is helpful.

Anyone who hadn’t already turned on 2FA is going to use the most frictionless so-called second factor they can.

link
staticassertion 1437 days ago
They've been offering people hardware keys for free.

https://pypi.org/security-key-giveaway/

link
Wowfunhappy 1437 days ago
That's a great initiative, but I expect the maintainers who are interested to be the ones who've already turned on (some lesser form of) 2FA voluntarily.

Anyone who is turning on 2FA because of this requirement is going to select the most frictionless method of complying with the mandate. Which will not be a hardware key.

link
staticassertion 1437 days ago
OK? So more people use TOTP and there's a marginal security win. And maybe a few use a token, and there's a significant win.
link
naniwaduni 1437 days ago
I'm not calling it a weakness. I'm saying that the alleged advantages of the 2F in 2FA don't normally matter to people who just want to their shit to work.
link
Wowfunhappy 1438 days ago
If they can phish my password, they can trivially phish my OTP as well. The one thing I can see actually protecting against that is a physical hardware key, but that's a lot of extra inconvenience.
link