Hacker News new | ask | show | jobs
by kube-system 1419 days ago
Token based 2fa does not leak any information to the service and it has a benefit of preventing other types of attacks on the functions that the system is supposed to do. There is literally no reason to be against TOTP or WebAuthN
2 comments
hombre_fatal 1419 days ago
I don’t agree. At worst it just introduces a “hey i lost my phone” customer support backdoor that may be weaker than what was there before.
link
kube-system 1418 days ago
It’s not any worse than the “hey I forgot my password” support backdoor.

If you have a support backdoor, it doesn’t matter what technology you use. That’s not a technology problem.

link
rtev 1418 days ago
That’s a security flaw. Backup codes are the fix if you get locked out. Sure, the attacker could find the backup codes, but that can be a challenging task.
link
duckmysick 1418 days ago
And at best? And what about on average?
link
winternett 1419 days ago
How could you ever guarantee that when registration for many services are conducted on such a wide variety of Internet-based web forms that are integrated into web sites?

That's not logical.

I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

link
kube-system 1418 days ago
You can guarantee that TOTP and WebAuthn do not share personal information because their implementation does not involve the use of any personal information.
link
ziddoap 1419 days ago
>I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.

I might be missing something, but what does that have to do with the efficacy of token-based 2FA?

link
winternett 1419 days ago
Web forms allow social media sites to capture bare phone numbers and store them in other places than just for authentication services. The places they store these numbers are often exposed to the public and to partners for a fee, along with personal data, which regularly is connected to other personal data on each account user. 2FA does not keep your account secure, and is just a bogus ploy to get your phone number, by social and other platforms) if most of your personally identifiable information on a site stores can be scraped ALONG WITH YOUR PHONE NUMBER, as it was, from a social media site (Which is exactly what happened in the original article cited).
link
scrollaway 1419 days ago
You are missing the point of the GP’s comment. Token based 2fa does not involve phone numbers.

Most people who talk about 2fa being good are talking about TOTP or security keys. Phone number based 2fa is awful for a variety of reasons.

link
croes 1419 days ago
Ever heard of YubiKey, Google Authenticator or Authy?
link
rtev 1418 days ago
At the risk of sounding rude, I don’t think you understand how modern 2FA works. No phone number is involved.

Your parent comment is based on misinformation and is the top comment; please consider editing or deleting it.

link
winternett 1418 days ago
You have not properly read my other comments within this post. That is arrogantly presumptive, and over valuing the ideal that downvotes should suppress freedom of opinion.
link
rtev 1418 days ago
I have, actually - they don’t make any sense. What about TOTP are you opposed to? That’s modern 2FA, not something related to phones.
link