|
|
|
|
|
|
by usethis
4445 days ago
|
|
|
> Just from a UX perspective - security aspects aside - this is worse by a magnitude. This is not true, clicking a link in an email, or copying a number from an sms is much easier than first logging into my password manager, finding the entry and then copy it into the field. Also, this also works for apps as well, not just the browser. Besides, password manager usage might still be quite low. So what the writer advocates is not less secure than having a single password for almost all their websites, like most people have. |
|
|
On websites that I've enabled 2FA on, I let LastPass autofill (no clicks) and pulling up Google Authenticator on my phone is what takes time.
The problem with using SMS as your only authentication is, what do you use for your second factor? I suppose a PIN would work.
SMSes are also trivial to intercept: imagine the national telco silently routes some login SMSes that were going to a number on a list to the local internal security agency. The user just gets no SMS (or a code that doesn't work), assumes something went wrong on the network, and asks for another one. Meanwhile the "baddies" have logged in already and snaffled up the information they want.
What I want is to be able to use Google Authenticator as my only authentication, plus a PIN for slightly sensitive sites and a long password for very sensitive sites (and to disable my phone from a distance).