Hacker News new | past | comments | ask | show | jobs | submit login

But... the experience of SMS as a second factor is also miserable. You don't have access to it when you're abroad, you can lose access to a phone number just the same as any other 2nd factor. In fact it seems more likely because there are other unrelated reasons that the phone company might take the phone number from you, in addition to the possibility of physical loss. In addition if you need to change phone numbers it is not easy to remember all the services that have that number stored as a factor to change them all.



But you can also gain back a phone number, by bringing your new phone to the phone company's physical location and presenting ID. That's not really an option with TOTP tokens.

I mostly agree with the other points (although I don't think I'm the only one with Wi-Fi calling and SMS, even abroad).


> But you can also gain back a phone number

...at which point the attacker has already taken over all your important online accounts and changed them to a different phone number.


Not without your password. The comment I was replying to specifically referred to the phone number as a 2nd factor. This excludes services like Twitter where a phone number can be the sole factor used to reset your password (which is awful security, obviously).

Also, you're specifically talking about SIM-jacking. The vast majority of people have upgraded phones, or broken or lost and then replaced a phone, far more times than they have been SIM-jacked. What do they do about their TOTP tokens in those scenarios?


That depends on the way the phone company operates surely? You can’t do it if you are abroad, or if it’s a prepay SIM and the phone company doesn’t know your identity. Some telcos will give your number to somebody else if you don’t connect with the network for too long.


Sure, you're totally right that in some cases, physically losing a phone also means loss of that phone number. But in 100% of cases, physically losing a phone means loss of those TOTP tokens.

For the vast majority of people, that's a dealbreaker, in spite of SMS being deeply flawed, as the comment you originally replied to said.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: