Hacker News new | past | comments | ask | show | jobs | submit login

100% agree. Several products that offer two-factor auth have data to support the fact that accounts with SMS-based TFA enabled are compromised at a substantially lower rate than those without it.

TFA has been empirically proven to be effective, why is this recommendation being made? I can't find the answer in the article or the Github.

I'd suggest that is because there are enough low hanging fruits (single factor password based sites) left to attack.

Phone 2FA is, to me, a bad idea as SMS was never designed as a secure transmission and there's a number of known unfixable weaknesses as a result

1) many OS's are allowing SMS to be viewed on the user's computer. so a standard malware attack can get both the password and access to SMS

2) Web sites exist to provide access to a users SMS messages for a number of providers. So an attacker who compromises the PC gets access to SMS messages as well.

Whilst app based 2FA (e.g. google authenticator) isn't perfect, it's better than this, and should be what companies are aiming at in 2016...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact