
How to *securely* use SMS two-factor authentication (2FA) - miesman
https://www.gluu.org/blog/how-to-securely-use-sms-two-factor-authentication-2fa/
======
miesman
Submitted this because although some sites like Vangard allow you to used a
security key like SecurID or Yubico FIDO they still require you to have SMS
security codes enabled incase you don't have your key. This makes invalidates
any additional security keys have over SMS on your account. Would be very
interested in HN community's thoughts on this.

~~~
beatgammit
And Vanguard specifically only supports Chrome (last I checked), so it's a
nonstarter if you primarily use Firefox, even though my Yubikey works fine on
other sites with Firefox. Perhaps WebAuthn will fix that, but it's the current
reality.

Instead of SMS, I wish more sites would fall back to email. There are a lot
more scenarios IMO where I don't have access to my phone/SMS than not having
access to email, and most email providers are better protected than SMS.

