Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What happens if your house burns down with everything in it?

You’d then have to contact support to let you bypass 2FA, but if that’s possible then the 2FA protection is weak, prone to social hacking.




I keep an extra Yubikey in my bank box, next to my other backup keys. The only account I'd be locked out of is Twitter since they only let you add 1 token (my primary).


AWS also only allows you to add a single device, much to my annoyance. I still haven’t found a solution for that, that doesn’t involve risking getting locked out.


One answer I've seen is to create multiple users for the same person. The second user becomes the "backup" user with a different physical device and is used only to reset the primary.


At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)


AWS at least lets you sign in using alternative methods if you get locked out: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...


Which in itself is a problem: it means the MFA device is not required, if only they have access to my email + phone.


Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.


Yes, AWS MFA is very poorly implemented.


Most sites let you set up both the Yubikey and a Google auth style TOTP. I always set up both, with TOTP codes saved in KeePassXC and SFTP'd to a backup server.


If I keep one with me and one at home, then I only have to worry about leaving both at home if I’m caught in the fire. Additionally, if I can prove who I am in person, or via friends attestations or both, that’s a lot better than a forgot password form or SMS hijacking.


"if your house burns down with everything in it, you'd have to call somebody" seems like a fairly ridiculous concern.


That's not their argument. Please read the last bit of the sentence again.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: