
Ask HN: When is 2FA not enough? - Domenic_S
I&#x27;ve noticed more and more sites ask you to log in with a username and password, then either answer a &quot;secret&quot; question or type in a 2FA token, AND THEN - in addition - &quot;verify&quot; your device. That&#x27;s usually done by texting or emailing you a PIN that you type into the site.<p>I was under the impression that username + password + 2FA token was sufficient for anything public. What am I missing?
======
saluki
Dude 2FA straight up sucks!

Undercover Boss Star Killer Base Edition
[https://youtu.be/FaOSCASqLsE?t=3m48s](https://youtu.be/FaOSCASqLsE?t=3m48s)

2FA is a weak link, it's been proven it's easy to social engineer access to
your phone account/number. Once someone has your phone they will receive all
your 2FA notifications and once they can reset your email password with it
they have the keys to the castle.

Plus if you lose your phone, then you're locked out, without your printable
one time use keys, that you probably didn't print.

There has to be something better.

------
mtmail
Texting or emailing is to make sure they can contact you in the future. Be it
for support or up-selling.

It also helps a bit with fraud (users who create multiple accounts) because
it's usually harder to come up with several working mobile phone number. I say
usually because professional fraudsters will find a way around that hurdle.

~~~
Domenic_S
In this case it was Verizon, who for sure knows my phone number ;)

------
akerl_
What is an example of a site that does this?

~~~
Domenic_S
Verizon was the annoyance that sparked my question.

