Hacker News new | ask | show | jobs
by ipaddr 40 days ago
Use to be now they are requiring 2fa for addon domains over a certain amount
3 comments
ceejayoz 40 days ago
Of all the things to be upset about, mandatory 2FA doesn't seem like one.
link
ipaddr 40 days ago
2FA has been in place for years through email but this new requirement forces a phone.
link
ceejayoz 40 days ago
Good. E-mail based 2FA is bad, and they appear to support TOTP too as an option, as they should. Wish they supported U2F though.
link
ipaddr 40 days ago
Why is email based 2fa bad but phone good? There are classes of issues you get through phone 2fa compared to email
link
ceejayoz 40 days ago
Typically, you can also reset password via email, so it's really only one factor. Compromised email = compromised server.
link
maccard 40 days ago
It’s negligent to not use 2FA for any cloud platform where credentials can be used to spin up resources.
link
ipaddr 40 days ago
I should have been more clear 2FA has been in place for years the phone requirement is new.
link
jlokier 40 days ago
They use TOTP for 2FA (industry standard), which doesn't require a phone.

Their help page lists a bunch of 2FA app options, all of which run on phones, so it's understandable to think a phone is required. (I'm disappointed they don't list the app I use, which is Aegis Authenticator.)

But actually you can use any TOTP app, and they don't all need a phone. For example, macOS (desktop) has built-in TOTP 2FA as part of the password manager.

link
esseph 40 days ago
Good! Should have been done long ago
link