Ask HN: Should HN Get 2FA? |
Ask HN: Should HN Get 2FA? |
I’m sure you feel the same about locks on your car and on your home. I mean, those silly keys, eh? They get so much in the way of going in and out and just using those things. Better if we dispensed with keys entirely, and just left everything unlocked and instantly available.
If I get locked out of Google or Amazon or Facebook I can talk to the hand at best with no recourse at all. A lot of 2FA hardware is garbage, like the Yubikey I had that had the hole attaching it to my keychain worn out in less than two years -- it could have fallen away and been lost.
The options are varied, and are really only nerfed by obscurity of both the platform and your handle in terms of its doxxability.
For the rest of us, probably just simple / basic password complexity and some attempt at detecting brute force if that is not already a thing. My personal preference for any site would be to also have an option for cidr/IP approve-list.
Everything I have heard from you so far is draped with ignorance and misinformation.
recovery email/phone = same threat model as regular passwords, and it's a big crack, all the time somebody bribes somebody at a phone carrier to take over the phone number of a crypto whale
Practically low-touch services are going to have to resort to these things, but they render 2FA performative.
Now at work 2FA is OK because I can go down the street and show my face and ID to the people at CIT and I don't mind it for my bank because their cost structure lets me do the same.
Like, this isn’t the 1980s anymore, password managers exist - even local-only ones - that can keep both strong passwords and recovery keys totally safe. KeePass in particular can be synced using server-free methods, keeping everything on-device, strongly encrypted, and essentially offline.
I suggest you touch some grass and actually educate yourself. TOTP 2FA is a massive leap in security that brings the traditional username+password safely into the modern threat era. Provided that the password is long+strong and the username leverages dot extensions in the eMail (if an eMail) or is a totally unique username (if only a text string), said three-point security can reliably exceed that of passkeys.