Hacker News new | past | comments | ask | show | jobs | submit login

Why not just support both? As a savvy user I can choose SMS-only without ever letting Google anywhere near my shared secret.

Or I can implement or build from source a TFA app I trust and use that.

I really hate sites that support TFA and don't support authentication apps as I have very poor phone service at both my home and place of work and hence SMS is a frustrating experience for me.

SMS is not a secure channel. For example transmitting patient info over SMS violates HIPPA.

Wait - I was disagreeing with the GP's assertion that SMS-only was a good idea, so I think we very much agree. Maybe you meant to respond to my parent post?

IMO a shared-secret OTP app is certainly not unbreakable but is more secure than SMS.

SMS is known to be easily subpoenaed and universally stored while believing in a widespread OTP app trojan-horse requires some form of tinfoil-hattery. Both are still orders of magnitude more secure than single-factor authentication anyway and hence I believe both should be included in a reasonable 2-factor authentication solution.

Personally I can't adopt an SMS-only 2-factor solution due to service issues anyway.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact