Hacker News new | past | comments | ask | show | jobs | submit login

One of the biggest weaknesses of SMS 2FA that I didn't see the article cover is when an attacker can socially engineer their way into your account with your cell service provider.

I'm thinking of a high-profile example when an attacker tried to take over h3h3's YouTube account by requesting his SIM card from T-mobile by pretending to be a T-mobile employee: https://youtu.be/caVEiitI2vg

The other day I forgot my Github password. When I went to go through the password reset process, it must have triggered the 2FA because it asked for my code. I use Google Authenticator, but I had switched to a new phone since the last time I used GA with Github, and never scanned the code on the new phone.

So now I'm at an impasse. How do I get the code? Well, Github has a backup -- it will SMS the code to your phone! When it said this I just kind of chuckled to myself as I also had seen the h3h3 video. Sure enough, it texted me the GA code and I got back in control of my account.

Github actually provides a list of emergency codes that you can print out and use as a last resort. I had printed these before and actually had them available, but forgot about that process.

Github is trying so hard to have your account secure, but yet the SIM card cloning threat is still there.

Hint: don't just scan the QR codes on one device, switch to the "type in the TFA secret" mode, and store that in your password safe (this makes it easier to add the key to all your devices too - I have thew Google Auth app in two phones and an iPad. I'd advise against doing that without at least considering something better than a 4 digit pin unlock for your devices).

Hint: don't just scan the QR codes on one device, switch to the "type in the TFA secret" mode, and store that in your password safe

I just don't use an authenticator app at all. Some password managers (e.g. 1Password) have support for storing TOTP. So, as long as I can access my 1Password vault (use a strong password!), I can access my TOTP codes.

Besides that, I prefer U2F, which is supported by GitHub.

> switch to the "type in the TFA secret" mode, and store that in your password safe

Oh that's a great idea! Never thought of that, thanks for sharing.

I had the new phone Google Authenticator lost data problem too. I use Authy now. It is attached to your email and phone number so you can login when you get a new phone

There was an update to the GA app a year or two back that screwed up the saved data and lost a lot of people access to their stuff... Google's answer was "Sorry, our bad. We'll have a new version of the app out that doesn't do this in a few weeks or whenever we get around to it, but all your lost stuff is gone. Soz..."

Protip: Don't allow your TFA app/hardware to be a single point of failure. Don't upgrade your reserve TFA device/apps until you're 100% sure the upgrade on your primary TFA device/app has worked smoothly.

I don't understand the downvotes.

Anyway, I have one time codes for all accounts I use 2FA with. Google generates these one time codes as TOTP substitutes, LastPass generates them as a one time master password that's TOTP exempt. Amazon you have to send an email and they'll call to verify and then unset 2FA on the account.

Criticise the mighty Google, and you'll be forced to pay dearly with meaningless internet points ;-)

(It's a little telling that none of the downvoters attempted to refute any of the facts…)

Authy stores your TOTP accounts, so you can sync up using a new device.

I suppose if you're a high profile target it's safer to not use 2FA and rotate your password on a frequent basis.

No, it is not safer to not use 2FA. That SMS is easy to hijack does not mean that password+SMS 2FA is weaker than just a password.

It's important to separate out two separate things that we've seen happening - and the media has done a bad job distinguishing these two things - 2FA and account recovery.

If you use SMS 2FA, then to gain access to your account someone needs your password and to hijack your phone number. That's harder than just having your password, but perhaps not much harder if you are a prominent target. The advice I would give to popular youtubers and streamers would be to have very strong passwords using a password manager, and use a TOTP app for 2FA.

What most of the news stories have been about, however, is not 2FA but account recovery. If an attacker can gain access to your account using _only_ your SMS number then you do not have 2FA: It's 1 factor authentication! A lot of websites do a bad job of explaining why they are asking for your phone number - there are competing aims here, to both add security but also ensure you can still gain access to your account - but if you are a high profile target you should take care of the latter (access) yourself, and _not_ enable a backup phone number for account recovery purposes.

Using a burner phone number might also help, to port it to another provider they would have to discover your fake registration details. Though I wouldn't say that number would be impossible to extract from tech support ("Which number did I register with? Was it 2302 2489? No? Dang, it must have been a work cell phone, can you give it a call? No answer?", et cetera).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact