Hacker News new | past | comments | ask | show | jobs | submit login

How does this example protect against phishing? Since the user believes that he's actually authenticating with WellsFargo.com, he would confirm.

That's what U2F protects against.




It's also expensive...the vast majority of users aren't going to buy a U2F key and carry it around. They just won't. 2-way OOB authentication does protect against phishing when combined with other information, such as IP geolocation. For example, the message could say "if you are not in [city from which login is coming], do not reply to this message".


Simple OOB authentication is much better than nothing, and I agree with you that most users aren't going to buy an U2F key unless it's subsidized and/or required by a service (look at Github - they're running a $5 U2F YubiKey promotion right now).

But still, there's no way to make this really secure for the average user. IP geolocation is easily tricked - a scammer just needs a large enough botnet and he'll be able to pick an IP address in the same city for the majority of victims.


$18 for the cheapest one. I paid 12 pounds for the same key on Amazon.co.uk


Hm I think they changed the offer, because when I went through a week 1/2 ago I got two for $15 (including shipping). Ah yep...

>While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available). After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.


Everyone will soon be using hardware key signing devices for identification and authorization as these keys are gonna basically be free within a couple of years. We're also moving towards self-authentication with public key crypto.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: