Hacker News new | past | comments | ask | show | jobs | submit login

The problem is that your authenticator app doesn't give them access to a relatively stable, cross-site/app/etc identifier that they can sell for advertising peanuts.



Also an identifier that is much harder to create bots/spam with, as phone numbers are harder to come by than email addresses.


Almost counterintuitively I deal with more spam SMS than I do email but that’s probably less a factor of actual volume and more a factor of the need and sophistication of filters for both services.


It’s likely also a function of the market / location / network incentives.

May own anecdote is that I almost never receive spam sms despite having nothing in place beyond whatever my service provider does.

Spam mails make it through two+ layers of filters (service provider + my own) more often than I get spam SMS, and I have to trawl the wasteland that is the spam box once in a while to ensure important mails have not been missclassified.


Require a phone number for account creation and support TOTP. Win-win.


It’s a loss from the business’ perspective. They could support 2FA with SMS and check a box; to additionally support it with TOTP would only be additional cost -- albeit with the bonus of “doing it right”. Unfortunately, that’s an abstraction which a lot of businesses consider to be achieved when they can check the box.


That's why my banks use their own apps as 2FA factors.


The own 2FA apps of my banks inevitably stop working at some point. They shut down immediately after launching them. Alternatively they stop reacting on tapping the "confirm" button. If I leave them unattended for few months, I'm almost certain they'll not work on next use.


I've added a recurring event on my calendar to check login-ability to several apps with which I've had this kind of experience in the past. At least once per month.


Also average Muppet consumer can't manage it


Not true. If we make Yubi keys cheap enough (below $5) then everyone would want them. Everyone is already carrying around keys, they won’t mind 1 more key. Why can’t we make yubi keys cheaper?


It has nothing to do with cost.

Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.

Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.

If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.

I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.


It's absolutely a problem with cost, though a little bit with UX. If YubiKeys cost $5, it would be reasonable to have 3 of them, and you keep on your keychain, one at home, and one somewhere else. The UX problem is that you would want a way to enroll a YubiKey that you don't physically possess, but that is a solvable problem.

The bigger problem is that a large number of sites don't implement MFA properly, and don't allow you to enroll multiple MFA devices. This really could only be fixed with regulation that clearly defined MFA, so there would be consequences for improperly implementing it.


I promise you there is a significant percentage of people that would fumble enrollment; you handwaved away a giant problem (multiple enrollment, not present); and many people would put them all on the same keychain.

In the politest way possible, I question whether you've interacted with the modal user.

edit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. Lots of people were logging into facebook by searching facebook, instead of typing facebook.com, then following the top result. Some other site briefly was the top result when searching for google. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. I think it was pinterest, but I may not remember correctly. Either way, it looked nothing like facebook and didn't use blue.

That's what a significant fraction of internet users are like.


There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably).

My email address is firstname.midddlename@<wellknownemailprovder>.com

I get a dozen emails a week from companies and government agencies trying to reach people with the same first + middle name combination from around the world. People seem to think they automatically get an email address with their name provisioned or something and they just sign up for accounts and services using that combo.


Truly bizarre how many large companies do not verify email addresses before setting up accounts.


Pocket space is finite. There's no way I'm carrying a yubikey unless I can jam it in my laptop USB port (defeating the purpose of it) and forget about it.


A Yubikey used in that way is still more efficient and secure than every other option.

Someone would need to physically take your laptop, unlock it, and get your account passwords before they could use your yubikey to login to accounts.


Then why not just store the encrypted credential on the device itself?

Would that be what passkeys would be?


Theft: A $2000 laptop is an easy target for anyone with sticky fingers, and so is a $1000 smartphone. A Yubikey has essentially zero resale value, so you will not lose them due to random theft.

Durability: If you drop your smartphone, there's a pretty good chance you'll shatter the screen and buy a new one. You can play tennis with a Yubikey and it'll be fine. You can run it through the washing machine and it'll be fine.

Longevity: Laptops and smartphones generally only have a 3-5 year lifespan due to battery degradation, and many people will want to swap it for one with more storage or whatever anyways. A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites.

Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them. Individually enrolling each device would be a nightmare, and having the credentials sync is a bad idea from a security perspective.

Security: If your device gets compromised, it's pretty much game over: the attacker can now log in to all your accounts, any time they want. With a Yubikey I have to physically insert it and tap the button for each login - which is relatively rare because active sessions don't tend to expire. This means I would have to actively participate in a mass compromise of my accounts, making it way more likely to be noticed.


Passkeys is like embedded Yubikeys, or, Yubikeys are like external passkeys.

The point of passkeys that the key is kept inside a separate secure computer running secure blobs, so user codes can't touch it. That sounds sketchy but contactless payments using similar embedded secure computer has been fine so this should be too.


A couple of other people answered you already in a lot of detail, so I don’t have much to add there.

But I do recognize that really is a legitimate question and it feels like Yubi would benefit from running more outreach / promotion programs with schools and companies. I never felt like I could justify spending $50 just to try it out(especially when it doesn’t have support in a lot of sites), but then they partnered with Cloudflare to sell up to 5 per person at $10 each. It was a no-brainer to try it at that price and I haven’t looked back


That wouldn't defeat the purpose of it.


$5 is cheap where? Most internet companies are global and have little desire to cut off customers in developing countries, since that's a major area of growth.

$5 in the US is roughly equivalent to $20 in my country, when you adjust for purchasing power parity. We have over 70 million people who use Facebook and Youtube daily.

If rich Americans won't pay $20 for a Yubi key (and they are currently $25) why should we be expected to?


I have and use yubi keys; they are annoying to set up and use compared to sms. No one will want that outside a few geeks.


No freaking way. I don't use YubiKeys not because they are expensive, but they are less convenient than other options.


There are some quite cheap fido2 keys ( https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2... ). But WebAuthn / Passkeys can also be provided by your android or ios phone. Or TPM -chip on a laptop.


No I promise you they won't "want one".

RSA keypads were an example. Absolutely free. Hung on keychains. Work well in that it was "secure" and worked, but an absolute nightmare for the banks to manage. UX was equally terrible (sure Yubikey isn't that).

The only way to mass introduce it is require multiple key entites to push and collaborate like your bank + phone provider to push it out for free.

Yubi keys are a logistical nightmare for my parents. SMS is not. For my parents, sticking to something in the phone is good.


And when a bunch of your users can’t get in to their accounts because they lost their yubikeys?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: