Hacker News new | past | comments | ask | show | jobs | submit login

>2FA in general makes a bad solution worse all for the sake of security; it's not long for this world.

Can you expand on this?

With reasonable setups (trusted locations and trusted devices) the friction is absolutely minimal. And it isn't even a question, the security benefits are astronomical.

I am not understanding how you can say 2FA is "not long for this world".




1. Traditional way: - type email/username - type password - click submit

2. 2FA way - type email - type password - click submit - switch to secondary email/text app - wait for email/text to arrive - copy text string (not consistent, depends on input method) - switch back to main app - paste or manually type text string - click submit

3. Hybrid (passkey?) setups are a great step in the right direction. Even more convenient than passwords, and more secure, without app switching, which is the huge friction point.


You're purposefully writing #2 in a way to be more convoluted than it is, to prove your point, I guess?

#3 is still MFA.


How did they write #2 to be more convoluted than it is? The way I read it literally describes my average experience for any "2FA" login.


My average 2FA experience when setting it up for the companies I consult for is.

Enter credentials -> receive push notification and press "yes" -> login.

They wrote #2 to be purposefully long and convoluted. "Copy/paste code" is somehow 5 steps, with a waiting period? We really needed to detail out "switch app" as 2 steps? Come on.

As another example:

If you were to give directions to someone on how to get to your house, do you say: "Turn right at XYZ street, follow that up to ABC street and take a left, last house on the right"

Or do you say

"When you are 50ft from XYZ street, press on the brake pedal. When you get to the corner, turn the steering wheel to the right, hand over hand, then get the car straight again, press your accelerator, approach the speed limit, check mirrors every 20 seconds [...]".

Both are true. One is unnecessarily detailed to make it seem more complicated than it is.


Push notification from what? Another app? How'd you get that app?

Imagine needing two apps to login to one app


Oh please.

Do I need to go back and explain how the computer chip is made and what transistors are, too?

Or maybe we start at the part where you have to find a store to purchase a phone, and walk through that process?


If you're on macOS and have an iPhone, 2FHey copies 2FA SMS codes to your clipboard for you.

I've been using it for a few months and it works very well.

https://2fhey.com/


If you use Safari it will prompt to autofill the 2FA field with the SMS code. No need for an extra app.


You probably haven't worked with aging populations much. 2FA is an absolute nightmare when dealing with people who have learning or memory deficits.


I have certainly worked with aging populations, people who have barely any experience with computers, etc. While consulting, I have probably walked a few thousand people through MFA setup and use.

I have not tried to set up MFA for someone with memory deficits, so I can't speak to that.

All of that is completely beside the point, though. I'm not sure why it matters. There is 0 chance that MFA is "not long for this world".




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: