Hacker News new | past | comments | ask | show | jobs | submit login

A practical attack against users is malware on the machine, which would allow screen viewing and key logging

An attacker can then compromise both factors at the same time.

To me, this weakens the point of 2FA a lot.

And another one is to try passwords from previous database dumps against your email/etc. This is even more effective then using malware.

If you are able to use a second device for your 2FA, great but it is not always possible and 2FA on the same device is still better then no 2FA at all. I don't want to carry around a key just for all my 2FA passwords but still want to use my phone for common tasks that require 2FA.

It's pretty irrelevant nowadays anyway. People log on their google, facebook, etc accounts from their phone as well as their desktop so for a lot of user, 2fa is done on the same machine anyway - that machine just happens to be the phone.

Additionally, the keylogging threat is severely reduced against most 2fa (because the login has to happen before the user sends the OTP) and can be eliminated completely by ensuring the token code is on a separate screen and creating a 30 second lock on the account while the user is entering the code.

Mobile device security (well for IOS anyway) is waaaaaaaay better than PC security (for ordinary users), so I'd disagree on that point that app+phone is the same as browser+PC.

In what world is malware which has full control of the PC stopped by having the token code on a separate monitor but the same logical system (if that's what you're talking about).

An attacker with control of the PC can just get access to any app. on that PC...

Maybe on a $300 phone.

This is fun, I have a tablet here on my desk I was given to repair a couple days ago. It's a mainstream tablet here in greece, sold for 70-90€, the sort of thing you'd buy if you are an "ordinary user" who doesn't know any better.

Well it's running a 4.x android with a custom marketplace and it is FULL OF ADWARE. Seriously. There's fullscreen porn popup ads on the OS itself. There's hundreds of spam notifications, a "fake" screenlocker which captures your taps into ads, etc, etc. Seriously, this thing is like a Windows XP SP0 PC from 2005 after heavy adblockless porn usage with flash and java on. I actually haven't seen anything like that this decade.

This is what you get if you buy an off-the-shelf tablet or phone here. This is what "ordinary users" get. We gave up control of our own devices in the name of security, yet shit like this can still happen.

(Sorry for the OT rant. Seeing that tablet pissed me off.)

Your confusing Out of Band authentication with 2FA. They are not mutually exclusive, and solve for different issues.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact