Hacker News new | past | comments | ask | show | jobs | submit login

Wouldn't PUSH notifications over the Google and Cloud networks resolve this? I know Google Prompt and Authy do this already because of SMS. Authy posted this a couple weeks ago: https://www.authy.com/blog/security-of-sms-for-2fa-what-are-...



Interestingly, when you sync a new device with Authy, one of the options to verify is SMS.


IIRC, Authy uses this SMS challenge to authenticate users to allow you to download the database of secrets. This db is encrypted by a passphrase which never leaves the device. So, Authy is using SMS as one part of a multi-auth system to get to the final unencrypted data.

That said, anyone with a SIM card able to get messages for your phone number can download the encrypted database and attempt offline passphrase recovery. It might take a while to brute force, they seem to use a lot of hashing rounds as it takes a couple of seconds to verify the passphrase on a 2014 Moto X.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: