Hacker News new | ask | show | jobs
by abalone 4697 days ago
Not a tremendously compelling argument, and I think the company may come to regret the know-it-all tone of the post. Hubris is not what you want in a security platform company.

The author cites two "flaws":

1. Your phone is offline sometimes.

Twitter has a backup code mechanism that covers this case. They talk about it, right in the post.

2. An attacker can send verification requests that look exactly like yours.

The sole use case for this mechanism is to verify login attempts by the phone's owner in real-time. If a verification request comes in and you're not actually trying to log into Twitter, or if you see more than one, you know you're being attacked.

It's true if you share a login among multiple coworkers then you're vulnerable to being tricked. But that's a bad practice to begin with, and this 2-factor system is still a massive improvement in security even for that scenario.
1 comments
jlmorton 4696 days ago
While I agree that Twitter's mechanism addresses the vast majority of potential attacks against a person's Twitter account (which would almost always be remote), it's not hard to imagine a scenario like Authy describes.

Imagine you're at work, logging in to a two-factor system. Now imagine your attacker is sitting 15 feet away from you. All the attacker needs to do is wait for you to attempt to login to the system before attempting to login himself.

When we have penetration tests run against us, this is exactly what is happening. We give the penetration tester a desk, a connection to the internal corporate network, and the same bare level of access we would give to a temporary contract employee.

link
DaveMebs 4696 days ago
And if you see multiple requests on your phone, you know it's an attack and you should reject both. The criticism is basically "someone might see a bunch of requests and, not knowing which is theirs, approve them all." If someone is that foolish, you're already in trouble.
link
abalone 4696 days ago
I agree except for the part about not caring about foolish users.

For me, it is more about asking yourself what approach will increase the overall security of a system. User adoption is a critical consideration. That is where Twitter's approach shines. It's something that is super easy to adopt, no numbers to type in, which means literally millions more users may adopt it. Authy is undervaluing that consideration.

Yes, this is vulnerable to a) foolish users who approve duplicate requests and b) have an attacker looking over their shoulder.

Pretty good tradeoff IMHO.

link