[us0r]

I've been bitching about GasBuddy since at least 2018 (I'm sure even further I'm too lazy to keep looking).

https://news.ycombinator.com/item?id=16776028#16776762

I've pretty much deleted all apps. I'm working on dumping my phone all together but shit like mandated 2FA is screwing that up.

[philipov]

At this point, 2FA is the only thing I use my phone for anymore. It's the only reason I even have a phone; I spent about a year without one until I had to for 2FA. But I don't need to carry it around anywhere for that. It would be inaccurate to call it a "mobile" device.

[waterproof]

It wouldn’t be too hard to create a physical device that can only be used to set up and retrieve Authenticator-app style 2FA codes.

All you’d need is a camera to read QR codes, a display, a few kB of storage and some pretty basic processing.

But then I guess that storage would need to be encrypted with some sort of authentication. Hmm.

[lxgr]

What about extending the protocol to an actual channel-bound challenge-response one, without the need for a (risky) out-of-band key exchange via a QR code?

We could call it something like Web Authentication. I could even imagine small, keychain-sized USB authenticators that you have to touch a capacitive button on to approve an authentication :)

[yencabulator]

That doesn't help when the services insist on SMS as 2FA.

[mixmastamyk]

Yubikey, FIDO2, etc already exists, though not supported everywhere.

[fsflover]

Sounds a bit like Precursor.

[mixmastamyk]

Most systems that have 2FA have MFA, TOTP or FIDO2 key. That’s what I use. Never SMS as it is unsafe.