Hacker News new | past | comments | ask | show | jobs | submit login
How do you handle 2FA?
16 points by PranavBerry on Oct 26, 2021 | hide | past | favorite | 26 comments
What do you use to handle 2FA? Sms? Email? or an Authenticator app?

What problems do you face with whatever 2FA you use? Are there security issues with any of them?

In case you use a phone based 2FA, is the phone not having internet/network a frequent problem?

PS - I am ideating on a 2FA method using cryptography where the user will not need internet on his phone. A QR code will be generated on the phone for each login attempt. The website/app where the user is logging in will scan that QR code and if the information in it is valid, the user will be logged in. Please let me know if you have any feedback on this and if this solution will solve any problems you have with 2FA.




I use Authy. Find the security good enough.

As for internet access on the device, shouldn't be a problem for any site that uses TOTP. However I can't imagine a situation where the phone wouldn't have access, but I'd be accessing a resource where authentication is an issue.


+1 for Authy. Works on desktops as well so you are not dependent on phone.


The questions you are asking are the wrong questions. Which is typical of people unfamiliar.

Deploying 2FA is easy. There are recipes. Anyone can do it.

The hard part is account recovery. Expected to spend 85% or more of your time on that aspect. You may not even arrive at a solution you are happy with, just one that is least bad.

>I am ideating on a 2FA method using cryptography where the user will not need internet on his phone.

Done over and over again. You are doing nothing useful. Account recovery is where some magic is worth doing.


So first off, TOTP and similar already solve the "phone is present but offline" issue.

But even if it didn't - how on earth is this meant to work? I'm somewhere that has no cell service, not connected to wifi, and need to login to something on a public computer..

Ok so with TOTP I just get the 6 digit code my phone generated, and type it into the input on the public computer, the site confirms its the expected OTP and I'm in.

How does this work with a QR code? The phone generates a QR code... How does that help me login on the other device? You're assuming the other device will (a) have a webcam and (b) have reasonably easy access to capture an image via it and upload it via the browser...


> TOTP and similar already solve the "phone is present but offline" issue.

Thanks a lot, this invalidates my idea and I will not work further on it.


Authenticator apps that use TOTP (all of them) don’t need an internet connection. The auth codes are time-based and generated on the device, online or offline.

I use authenticator app or hardware key if supported. Adding TOTP 2FA to a web site is easy.


We use 1password at work. It's fantastic, never had issues. The GUI is really nice (on MacOS where I use it at least). The CLI is also nice for pushing secrets into scripts.


SMS is better than no 2FA at all, but is the weakest choice. Avoid if possible, unless it is your only choice, in which case, it's still better than nothing.

Authenticator app, hardware token (e.g. Yubikey), or email will usually be a question of which ones are supported by the service you are 2FA-ing into, You usually don't get a choice, so use what they offer.

Phone-based 2FA and lack of network is only a problem if you are using SMS push, and have no data service on the phone. But in that case, what system are you using to access the service? Can that machine hot-spot, or can your phone share its network connection? In practice, I've never seen a case where you have network connectivity to talk to a service, but not phone connectivity to get your SMS 2FA. So I'd say "not a frequent problem".

Given my choice (assuming all are supported) my order of preference would be: 1) Hardware token (e.g. Yubikey), 2) Authenticator App, 3) email, 4) SMS

Tokens are portable, can move between machines, have nothing to remember, and are easy to use.

Apps are running on some device, so still a true second factor (something you have) - and again, have nothing to remember, and can be secured with biometrics.

Email - now you are on two different things you know (not really a second factor), and you have to access your email on some potentially untrusted device, just to get the code, potentially now compromising your email. It's one more basket that if someone gets access to, they can probably reset your other service passwords for total account takeover. Still better than no 2FA, but higher friction to use and access, and not really a second factor.

SMS - it's just too easy for SIM swap attacks, and good social engineering to phish SMS codes. "Hi, this is $BANKNAME - we saw some suspicious activity on your account, so we are going to send a one-time code to you now. Please enter it back to us here to verify your identity" (scammer then uses your stolen password, tries to log in, real bank sends you real code, which you now are tricked into sending to scammer to complete their login as you).


> A QR code will be generated on the phone for each login attempt. The website/app where the user is logging in will scan that QR code

I don’t have a camera on my desktop computer, and I think I am far from alone in that.


Have you looked at FIDO? Sounds like you are solving a similar problem to them: https://fidoalliance.org/fido2/ (though that is more about a different, more secure first factor).

I think the bigger issue with 2FA is not the security of the various methods (though there are some concerns with SIM hijacking for high value accounts, for sure).

It's twofold:

   * companies choosing to implement it
   * UX for users using it
For the first, companies have to choose which MFA methods to allow. For typical consumer facing companies I have seen email, voice, and text. For more technical companies, TOTP is pretty common. But in all cases, the company has to spend time and energy to implement this. Login security is a feature, but not a super differentiating one. I do think some of the breaches and government mandates will help, but make sure you tell companies you do business with that you want MFA!

There's definitely an adoption barrier to TOTP, which plays into the second issue. TOTP is a lot to ask a non technical person to use. It really is.

I have written more about MFA for developers here: https://fusionauth.io/learn/expert-advice/authentication/mul... (full disclosure, this is an article hosted by my employer that I was paid to write).


> What problems do you face with whatever 2FA you use?

Ease of migration. I'm currently migrating away from Authy to Aegis. This experience in Aegis is simple because it can import and export the data.

I use gauth [0] on my laptop since there's no Aegis desktop client. This requires adding any new 2FA accounts to both Aegis and gauth at the same time, meaning I need both devices with me. I've not yet tried to export from Aegis and add to gauth separately later, but I'm hoping that will be okay.

> A QR code will be generated on the phone for each login attempt. The website/app where the user is logging in will scan that QR code

Not sure I understand. How will a website be able to scan my phone's screen?


> How will a website be able to scan my phone's screen?

Using your webcam. However from the comments it seems that there are a lot of devices without a webcam so my idea will not work.


My laptop doesn't have a webcam, and even if it did, I wouldn't permit my web browser address to it unless I really needed to. A website that asks me to access the webcam just to log in isn't going to appeal to me.

I've no idea how typical I am in this regard, though.

Could you turn the idea on its head? Could the website display the QR code and the phone scan it, as per WhatsApp and many others? Or perhaps the phone just displays the note ubiquitous "random raccoon" type wordset for the user to enter into the website?

I'm probably missing the point of your idea.


>the website display the QR code and the phone scan it I'm exploring that right now, thx a lot.

>I'm probably missing the point of your idea.

It was mainly a way to do 2FA with a phone but no SMS/internet on phone. However it looks like TOPTs solve this probelem.


> I'm exploring that right now, thx a lot.

No problem, good luck :) Is good to see someone experimenting in this area and asking for advice to stay on track.


As a user, I like having the choice and as a security conscious person, I nearly always choose authenticator app.


I use KeePassXC with TOTPs. That way, my 2FA is backed up with my passwords and is portable.


I complain to anyone offering SMS 2FA.

> PS - I am ideating on a 2FA method using cryptography where the user will not need internet on his phone.

If the user needs to be loggedin somewhere, they must be online. So it's safe to assume their phone has a connection too.


> If the user needs to be loggedin somewhere, they must be online

I will be using JWTs, with asymmetric signatures. An internet connection will only be needed while adding the device for 2FA. The JWT will be generated from the private key already on the phone so internet is not necessary.


What problem are you solving? I don't get it.


If the phone not having a internet/network coverage was a problem, my idea could be useful. It also makes the phone a kind of hardware token, a user can login only if he has his phone.

However from the responses it looks like this is not an issue and I'll probably not work further on this idea.


Yeah I really think it's a non-issue: 2FA apps such as Authy or Google Authenticator already work if the phone is offline.


That isn't a safe assumption at all.

A very well known issue with old SMS based OTP, is that they can stop working when the user is overseas.


I now use 1Password after getting seriously inconvenience when my phone suddenly died and I had no chance to export tokens from the Authenticator app.

I only use SMS when a service doesn't offer an alternative.


Webauthn. Do not ever, ever use SMS or phone. If a user has a more secure method like webauthn, do not ever allow SMS/phone to be able to reset or override it.


I have many services using 2fa to login. Now the list in the authenticator app is too long.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: