Hacker News new | past | comments | ask | show | jobs | submit login

This spells the end of privacy on the Internet. Your phone 100% identifies you. Plus, if you lose it, you may lose your account as well. I just got an email from Twitter support, saying that I could “restore” my lost access by creating new account. I thought this email was some kind of a joke, but no.



"This spells the end of privacy on the Internet. Your phone 100% identifies you."

My "2FA Mule" has no identifying information of any kind on it and doesn't follow my location(s).

It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].

It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.

The "2FA Mule" itself is plugged in at my office in a corner.

I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...

[1] https://play.google.com/store/apps/details?id=com.frzinapps....


What happens if that phone is destroyed through some sort of accident, possibly involving your office? No matter how unlikely, if that's not a contingency you've planned for, the plan needs some work.


At some point you've got to sign off on 'acceptable risk'.


"What happens if that phone is destroyed through some sort of accident ..."

I don't think that's an issue at all ...

I don't care about the phone - all I care about is the SIM card. If the SIM card is destroyed, your provider can issue a new one.

I guess if the 2FA mule was destroyed while I was traveling that would be a real pain but ...


That's a great idea, and worth remembering for me in the future, but it's also worth noting not everyone can afford a 2FA mule phone.

(yes even as relatively "cheap" phones are these days. there was a time that $20 was a no-go for me.)


That is why I use a TOTP app that lets me export an encrypted copy of the TOTP secrets. I also have a printed-out copy of the secrets stored in a secure location, which I update monthly for new accounts I add in. Prior to that when I was just using Google Authenticator I would record the TOTP secret prior to importing it into the app.


What TOTP app do you use, and what format do you print the secrets in?

I currently use "OTP Auth" for iOS, which supports backup and encrypted cloud sync, but I'm not sure if that supports something like "export to a text file".


On Android, andOTP is good.

It is open source, maintained, easy to use, can do backups and re-present the QR code so you can easily scan it with another device.

https://github.com/andOTP/andOTP


I stumbled across Aegis for Android (they don't have an iOS version though). The export format is json, you can export in cleartext or aes encrypted.


What app is it?


> This spells the end of privacy on the Internet. Your phone 100% identifies you.

But I don't think Google mandates you to use a phone for 2FA? You can use any TOTP app or a U2F dongle like the Yubikey (or the Ledger Nano S, which has an U2F app).


Uh, doesn't this accept U2F?

I'm a Googler, but haven't really looked into this yet.


AFAIK you should be able to remove your phone number from your account after adding some other type of MFA (authenticator app or key fob). Did this change recently?


I see your point but unlike climate change, privacy is not a one-way loss. It can be restored so long as some other technology prevails. Wishful thinking perhaps, but it's well within the realm of possibilty.


>This spells the end of privacy on the pop(ular) internet.

FTFY. Though, I'd argue privacy has been dead there for years already.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: