Hacker News new | ask | show | jobs
by sockbot 731 days ago
So many services now, including government, are requiring phones for "two step" authentication. There are technically alternatives like receiving a phone call or a secret word lookup table, but those are so impractical to use that I need my phone to be a TOTP device. I was close to putting in a preorder but I will need to see TOTP supported before I can drop my regular smart phone.
4 comments
Johnny555 731 days ago
You could use something like this as a companion to the phone - a standalone TOTP device. More secure than a phone too since it can't be remotely hacked (though it might require USB for programming, so it's not completely immune to hacking)

https://www.token2.com/shop/product/molto-2-v2-multi-profile...

link
sjducb 731 days ago
An alternative is a really slow and old android phone. One that has a visible lag as it logs in and you have to wait for a minute or so before the apps open.
link
Johnny555 731 days ago
Doesn't "old android phone" also mean one that's no longer getting security updates? Probably not what you want on a phone that hosts your TOTP tokens.
link
fragmede 731 days ago
if you don't run random apps and or use it for web browsing, and block incoming sms, a standalone device would have a smaller attack surface. if you really wanted to be paranoid, TOTP is computed off the time and a seed value and doesn't need Internet access, so the standalone device could have the cell modem and wifi disabled to reduce the attack surface even more.
link
sjducb 731 days ago
Good point.
link
islewis 731 days ago
Could a hardware authenticator (Yubikey) be a workaround for this? Or are there services which don't support this?
link
LanternLight83 731 days ago
> are there services which don't support [non-TOTP MFA]?

Yes, there are many which still only support SMS MFA -- and if you meant TOTP-On-Yubi, that's its own can of worms (limited size, [intentionally?] hard to sync or backup, vender lock-in?). I hope passkeys lead to brouder FIDO/U2F support.

link
sockbot 731 days ago
Not only are there tons of devices that don't support non TOTP, a lot of them are not optional due to monopoly or oligopoly. Government, for one. Banking is another (SMS "auth")
link
1oooqooq 731 days ago
all comments on this thread are pointless as the requirement now is a non-rooted Android or ios phone with a special app per entity.

nobody is accepting TOTP anymore.

some govts (br, sg, ru) even allows govt apps to authenticate via bank apps.

link