Hacker News new | past | comments | ask | show | jobs | submit login

There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.





And it's not even an attack on the OTP token.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: