Hacker News new | past | comments | ask | show | jobs | submit login

I'd suggest that is because there are enough low hanging fruits (single factor password based sites) left to attack.

Phone 2FA is, to me, a bad idea as SMS was never designed as a secure transmission and there's a number of known unfixable weaknesses as a result

1) many OS's are allowing SMS to be viewed on the user's computer. so a standard malware attack can get both the password and access to SMS

2) Web sites exist to provide access to a users SMS messages for a number of providers. So an attacker who compromises the PC gets access to SMS messages as well.

Whilst app based 2FA (e.g. google authenticator) isn't perfect, it's better than this, and should be what companies are aiming at in 2016...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: