Hacker News new | past | comments | ask | show | jobs | submit login

Worst is their suggestions to disable 2FA! I twitted to them about it, and they seem to have removed it after that!

Wells Fargo's 2FA uses SMS. Hardly worth enabling.

I don’t know why you’re being downvoted. Sms 2FA is not safe, full stop.

Sure, SMS-based 2FA is not nearly as secure as other forms of 2FA. But unless you're targeted, SMS-based 2FA still helps add a layer of security against other issues like password re-use. Of course none of us do that either, but for the general public, I'd rather support SMS-based 2FA across the board than nothing at all.

For the average Joe it's good enough, no one is SIM swapping Bob who works at Walmart

That's default, but you can buy an RSA hardware token.

Like this one [1]? Seems that it is not necessarily better than SMS.

[1] https://news.ycombinator.com/item?id=4156897

There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.

And it's not even an attack on the OTP token.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact