undefined | Better HN

0 pointssamatman1y ago0 comments

The slogan is "something you know and something you have", right?

I don't have strong opinions about making it mandatory, but I turned on 2FA for all accounts of importance years ago. I use a password manager, which means everything I "know" could conceivably get popped with one exploit.

It's not that much friction to pull out (or find) my phone and authenticate. It only gets annoying when I switch phones, but I have a habit of only doing that every four years or so.

You sound like you know what you're doing, that's fine, but I don't think it's true that MFA doesn't add security on average.

0 comments

jjav1y ago

> It only gets annoying when I switch phones

Right. I don't ever want to tie login to a phone because phones are pretty disposable.

> I don't think it's true that MFA doesn't add security on average

You're right! On average it's better, because most people have bad password and/or reuse them in more than one place. So yes MFA is better.

But if your password is already impossible to guess (as 128+ random bits are) then tacking on a few more bytes of entropy (the TOTP seed) doesn't do much.

satokema1y ago

Those few bits are the difference between a keylogged password holder waltzing in and an automated monitor noticing that someone is failing the token check and locking the account before any damage occurs.

StillBored1y ago

I think your missing parents point, both are just preshared keys, one has some additional fuzz around it so that the user in theory isn't themselves typing the same second key in all the time, but much of that security is in keeping the second secret in a little keychain device that cannot itself leak the secret. Once people put the seeds in their password managers/phones/etc its just more data to steal.

Plus, the server/provider side remains a huge weak point too. And the effort of enrolling/giving the user the initial seed is suspect.

This is why the FIDO/hardware passkeys/etc are so much better because is basically hardware enforced two way public key auth, done correctly there isn't any way to leak the private keys and its hard has hell to MITM. Which is why loss of the hw is so catastrophic. Most every other MFA scheme is just a bit of extra theater.

1 more reply

j / k navigate · click thread line to collapse