Hacker News new | comments | show | ask | jobs | submit login

Dedicated attackers routinely bypass two-factor auth. If your second factor is your phone, then they simply attack via the phone carrier first.

Don't use texts for the two factor auth, use the Google's app https://play.google.com/store/apps/details?id=com.google.and... and print out the one time codes when prompted (for when your phone is unavailable for whatever reason).

As a bonus, you can also use it for when logging in over ssh with password http://askubuntu.com/questions/159727/how-can-i-use-a-passco...

Anything can be hacked but it's a really solid system, even against a targeted attack and motivated attacker.

Thanks for the link, but could you explain why texts are non-optimal?

Phone companies are often quite stupid about letting phone numbers (with their texts) get redirected. Like you don't have to know any private information, just have a good story stupid.

I'd hardly say people routinely bypass Google's two factor authentication (using the smartphone application), which is what I'm suggesting here.

I'm aware of one incident (the Cloudflare hack), but that seemed to be more a vulnerability in the password reset functionality than the authentication mechanism.

SMS verification is less than ideal, though.

Doesn't Google fall back on SMS or a phone call if you no longer have access to the authenticator app?

I know I have a printed sheet of one-time codes, but I think if an attacker compromises the phone number on my account, I'm screwed.

You can disable that, so that the one-time codes are your only backup method.

whilst this might be true - I get the feeling this is more of a "targeted attacked" - rather than a target of opportunity. 2factor is surely one of the best options we currently have to secure ourselves?

I agree. I think there was deliberate focus on the victim based on everything they accomplished.

My phone is a pay-as-you-go Motorola Razr from 2006. How could they hack that to gain access to my two-factor auth SMS code?

Other than stealing the phone, that is.

They trick your carrier into redirecting your messages

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact