Hacker News new | past | comments | ask | show | jobs | submit login

Or a hardware token. It doesn't have to be a software token running on your existing phone.

That being said, several companies [1][2][3] have in fact made software authenticators that run on J2ME.

[1] https://guide.duo.com/j2me

[2] http://www.aradiom.com/SolidPass/2fa-OTP-security-token.htm

[3] http://www.eset.com/us/products/secure-authentication/

> Or a hardware token

The trouble is with the user (the user is always the problem). What happens if they lose their hardware token? You must have a way to recover that is not exploitable by bad guys but usable by the good people just trying to get back into their account.

SMS fills this pretty well despite its security flaws. I'm not convinced hardware fixes this, at least not in any current form I've seen.

My bank gives out hardware tokens. It's super easy to use, and I trust it way more than using SMS, even though they tried to push me over to using SMS (probably cost cutting move on their part). When it gets lost, they can replace it.

That sounds like a pretty miserable user experience though. People are forgetful and lose things. Doing something online for the ease of it only to have to wait for something physical seems like a big step backwards as far as UX is concerned.

Until you make good security dead simple it'll never be used by the majority.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact