Hacker News new | past | comments | ask | show | jobs | submit login

I suppose if you're a high profile target it's safer to not use 2FA and rotate your password on a frequent basis.



No, it is not safer to not use 2FA. That SMS is easy to hijack does not mean that password+SMS 2FA is weaker than just a password.

It's important to separate out two separate things that we've seen happening - and the media has done a bad job distinguishing these two things - 2FA and account recovery.

If you use SMS 2FA, then to gain access to your account someone needs your password and to hijack your phone number. That's harder than just having your password, but perhaps not much harder if you are a prominent target. The advice I would give to popular youtubers and streamers would be to have very strong passwords using a password manager, and use a TOTP app for 2FA.

What most of the news stories have been about, however, is not 2FA but account recovery. If an attacker can gain access to your account using _only_ your SMS number then you do not have 2FA: It's 1 factor authentication! A lot of websites do a bad job of explaining why they are asking for your phone number - there are competing aims here, to both add security but also ensure you can still gain access to your account - but if you are a high profile target you should take care of the latter (access) yourself, and _not_ enable a backup phone number for account recovery purposes.


Using a burner phone number might also help, to port it to another provider they would have to discover your fake registration details. Though I wouldn't say that number would be impossible to extract from tech support ("Which number did I register with? Was it 2302 2489? No? Dang, it must have been a work cell phone, can you give it a call? No answer?", et cetera).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: