Hacker News new | ask | show | jobs
by zobzu 5066 days ago
of course the issue with 2 factors is that:

- you can still social engineer your way out (!) - "oh i lost my phone and the recovery keys" "heres my name address cc number, etc please help!" (ie nothing has been solved)

- its quite annoying to use

- it doesnt solve everything, only weak passwords/brute force

- it locks you out if you lose your phone/token until you get back home to get your recovery keys

- compromising the phone (2nd factor for the general public) allow compromising both passwords and the authenticator

and the issue of passwords managers:

- they're stored everywhere because you need them (incl. your phone)

- you have a single password to decrypt them all

- compromising the phone, once again, give you all passwords, and the authenticator
3 comments
X-Istence 5066 days ago
How does compromising the phone compromise the password? I turned on 2 factor auth and the only thing that would be compromised is the code generated by the 2 factor auth. My password is still secure in my head.

My password doesn't get used for anything, all my applications have a 1 app only password.

An attacker would still need my password...

link
laurencei 5065 days ago
I think the issue is most people have email on their iphone, so you can send yourself a password reset to your phone, get your password, then use the code also generated on your phone.

Personally I have a pin on my iPhone - and I have my iPhone set to 'reset' itself if there are 10 incorrect pin attempts - so even if I lose my phone, I doubt they would get in...

link
zobzu 5065 days ago
what do you think happens, when you type the password that's safely stored in your head, onto your phone?:P
link
isaacaggrey 5065 days ago
> compromising the phone (2nd factor for the general public) allow compromising both passwords and the authenticator

Unless I've misunderstood how 2-factor authentication works, this is misinformation. The entire point of 2-factor authentication is that you need _both_ factors; i.e., having only one does not compromise the system.

link
zobzu 5065 days ago
Except in practice you have both factors on the phone (unless you don't use the phone for anything else than .. phone and an authenticator? that just never happens)

so, no, you just need to think about it a little while longer.

link
isaacaggrey 5063 days ago
> Except in practice you have both factors on the phone

What do you mean by this? I'm not doubting you, but I'm still a bit confused -- currently taking a Security course, so I'm a newbie in the field.

Do you mean that if the phone is compromised (and you don't know its compromised) that once you input your password (the "what you know") the system is broken? Certainly, I can see that.

I may still be misunderstanding, but if you don't store your password(s) on your phone, then does it prevent this attack?

link
skybrian 5065 days ago
Of course it doesn't solve everything, but it raises the bar. Social engineering is an active attack that doesn't scale like phishing; the support folks at the organization will catch on a whole lot quicker than their users.
link