[andix]

How is a second factor adding an "account takeover path"? You're not seriously saying that adding a second factor is reducing security?

We can agree that password reset via SMS token is bad. It basically reduces everything to one factor login via SMS.

[Terretta]

I agree with you, SMS as implemented almost everywhere* is bad, adding an account takeover path (the reset by SMS) with insufficient value-add to offset that 100% guaranteed (see research I linked elsewhere in thread) path to account takeover.

And as to "You're not seriously saying that adding a second factor is reducing security?" -- yes I am, when it's not a second factor, it's implemented as an "only factor".

To that point, btw, I'd linked to your other reply about resets from a couple of mine: https://news.ycombinator.com/item?id=39467039

* Note: And by "as implemented almost everywhere", I mean so indistinguishable from everywhere that that effectively boils down to "SMS is bad", much easier for users and builders to understand, when better options are available.