Hacker News new | past | comments | ask | show | jobs | submit login

> Using smart phones as authentication devices suffers from this exact same problem.

This. 2FA or "tap to login" is all nice until the phone melts down and - by design - you (normally) don't even have backups, so have to use recovery codes. Which aren't always available.

> I have concluded the password is king.

What about the keypairs?

They are the same as passwords (when done right) - just long "random" strings of data. However, they don't have to be transferred over the wire for everyone to see. And they're more flexible in terms of possibilities on security-convenience spectrum.

There is no SRP standard for web (JS crypto doesn't count), but almost every TLS-aware system (client or server) out there has support for client certificates. The only problem is that browser vendors genuinely hate this (and want to shove users their own inventions), but if someone could somehow persuade them - it would just work.

> until the phone melts down

Under what circumstance would that be considered normal, expected, or acceptable?

My phone just doesn't do that, and never has. Sure it crashes maybe once a month or so, but then I'm able to use it again within ~15 seconds.

I think that experience is mirrored by most people.

We have different experiences, then.

Monthly crashes are no big deal (in fact, I think, my phone crashes only once in a few months). Slight nuisance at most - e.g. if the crash corrupts Android app cache and system boots awfully long minutes, re-compiling the apps. However, I have three different mobile devices (2 phones and a tablet), from different vendors (Nokia, Acer, Samsung) that had suffered a hardware failure after some (5-8) years of use. Three dead eMMCs.

So, I'm sort of wary. It's exceptional, infrequent but happens quite unexpectedly and is very frustrating when it does. Especially if the recovery keys (which are rarely accessed by design) are lost, inaccessible (you're on the road) or misplaced.

My phone rarely crashes too, but the point is it tends to crash at the worst moments (perhaps all moments are the worst moments, when you are reliant on technology).

Using strong passwords and an auto-completing app like keepass, this is simply not an issue. I can log in from another device.

Also, reliance on mobile devices means reliance on some corporation's cellular network. Putting the control of your vital access into the hands of people who you know are not your friends and who would love to take more than just your money is never a good idea, in my opinion. When their system crashes you can't just reboot your phone to fix the problem, you can't do anything.. in fact. You have to sit and stew in the hell of your creation until their system magically comes back online. Not worth it.

> 2FA or "tap to login" is all nice until the phone melts down and - by design - you (normally) don't even have backups, so have to use recovery codes. Which aren't always available.

Get a Yubikey and store all your OATH tokens on that, as well as your phone.

> Get a Yubikey

Easier said than done. Import restrictions on any cryptographic devices in the country I live. :( Russian government genuinely hates civil cryptography.

Last news I've heard, late this spring, some company had managed to negotiate and obtain the necessary certifications and permissions, but they're still setting warehouses and logistics.

Thought of getting an ATECC508A or alike Secure Element IC and make a DIY HSM, but had no luck either. An acquaintance why runs an electronic component retail business said he'll try but these are rare find here, and usually out of stock.

(I wonder if there's a way to buy a Yubikey or Nitrokey token, visiting EU as a tourist... Customs probably won't care checking what some USB stick in luggage is - everyone has flash drives.)

Ah, that sucks :( Does your mail carrier care what's in the envelope? A Yubikey is very small, or you can buy one of the Fidesmo cards, if you want to be lower-key.

Mail carrier doesn't[1], import customs do. They tend to regularly deny various hardware, like phones that aren't certified in Russia (I've tried to buy an OpenMoko GTA01 and it haven't passed through) or sometimes random hardware that has crypto or wireless stuff in it (e.g. Steam Link set-top-boxes).

I'm not sure what sort of logic they use for screening. They'd probably let anything pass if it'd be declared as "USB flash drive" and shipped from China (tons of such stuff is bought on AliExpress every day) in a typical envelope, haha - but may well likely screen the parcel for less common cases.


[1] A counter-terrorism^W mass surveillance law had recently passed so they will have to start screening parcels in 2017, though - but that's another story.

Oh, that's unfortunate. You're right about China, they're very savvy about marking things as "camera accessories" and "usb flash drive" so pretty much everything passes through, too bad other companies don't do that too...

I like keypairs but if you work with a lot of devices, it can be a bit troublesome managing all the per-device keys. I find passwords are a bit easier, this may be a matter of personal preference.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact