Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Also, why is the 2FA option hidden under "Privacy" and not right next to the Change Password option?

You'd think they would want to advertise 2FA better...



Why do people insist on using sms as the second factor? Let me use TOTP (e.g. Google Authenticator). I don't get reception everywhere!


I get you - but how many places do you not get sms reception but you still have enough internet connection to be trying to log in to LinkedIn? (Inside a data center, maybe?)


> I get you - but how many places do you not get sms reception but you still have enough internet connection to be trying to log in to LinkedIn?

Any time you travel internationally? My phone only has one SIM slot and it's not going to be the $10/MB roaming one from back home.

SMS 2FA is an awful trend.


I agree about SMS being a bad chice for 2FA, and so do the Telcos here:

http://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-...

"The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction."

and

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication,"


Plenty of places around London where I have WIFI access but no 3G/4G signal (tube stations, various Starbucks, couple of Costas, my flat, DB's Bishopgate office in 2014, etc.)

It makes e.g. Twitter's insistence on SMS 2FA annoying (since their "we've sent you login request to your app" just doesn't work for me, I'm stuck with SMS).


Inside a building?


Not only that, but in general, I don't want to give them my phone number. They'll just leak it or abuse it.

Google Authenticator is great, and I use it anywhere I can. I also take a physical backup of the seeds in a secure (and secret) location, in case I lose my device.


2FA doesn't mean much if the user can 2FA from one device (i.e. Login to a site from a phone and request the 2FA SMS to the same phone).

Something needs to change here.


I disagree. Even if you use the same device to access a service, you still need the device to authenticate. It's authenticating by more than one factor. You need my password, plus my phone, plus possibly a way to access my phone (my PIN code or fingerprint). That's much better than just a password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: