Hacker News new | past | comments | ask | show | jobs | submit login

That's default, but you can buy an RSA hardware token.

Like this one [1]? Seems that it is not necessarily better than SMS.

[1] https://news.ycombinator.com/item?id=4156897

There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.

And it's not even an attack on the OTP token.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact