
This low-cost device may be the world’s best hope against account takeovers - anexprogrammer
http://arstechnica.co.uk/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/
======
crdoconnor
The difficult question regarding two factor authentication is "what do you do
if you lose the second factor?"

The answer to that question can often range all the way from "your account is
lost forever" to "you have to go through a whirlwind of bureaucratic pain" to
"the alternative method of entry is easy, hassle free, and how your account
will end up compromised."

~~~
skookum
Yubico's answer to this is to own & register two of them against the
account/software they are being used as the 2nd factor for. Some accounts also
offer something short of the whirlwind but not as socially engineerable as the
obvious easy, hassle free methods - for example Google issues backup codes for
signing into the account when you lose all your means of 2FA.

~~~
chrismeller
Out of curiosity, do you actually have your backup codes somewhere? I know I
did at some point, but the things you don't use, you lose...

------
amelius
I'd be interested to hear how people on HN currently secure their SSH sessions
with two-factor authentication.

~~~
typicalrunt
Duo: [https://duo.com](https://duo.com)

Super easy to setup and use. About $1/user/month, so fairly cheap.

~~~
amelius
Does it allow to do "nested" logins? E.g., first login from machine A to
machine B, then login from machine B to machine C, while the security token is
on machine A?

------
brudgers
Plugging a device into a USB port was the method by which Stuxnet was
deployed.

------
plg
New MBP laptops have no compatible USB slots

Another dongle

------
plg
What about Apple Watch for 2FA

~~~
h4waii
Unfortunately Apple Watch and Android Wear don't seem to have an offline
H/TOTP generator.

Pebble is the only real wearable that does have an open source on-device OTP
generator =>
[https://github.com/JumpMaster/QuickAuth](https://github.com/JumpMaster/QuickAuth)
and it's one of the main reasons I've stuck with Pebble.

