Hacker News new | past | comments | ask | show | jobs | submit login

Well, I guess that's the hazard: it's definitely better to have "2FA lite" than to have no 2FA at all, but I don't think our mentality when it comes to 2FA advocacy should be resignation towards the mistakes that users make. But that's a really hard line to walk.



What mistake is a user making? Sophisticated users lose access to their 2FA credentials all the time. The conventional advice is "enroll multiple TOTP devices". Most users don't have multiple mobile devices to enroll. Now you're asking them to enroll something on the desktop, which effectively undoes the "something you have" benefit of TOTP (see: the 1Password thread above). At least a recovery code _can_ be printed out.

I don't think the logic you're employing here is coherent. Consider it a bit longer! This post could be a good longstanding reference, but this is a big flaw.


Yeah, we discussed this a bit internally and concluded that opt-in recovery is an unreasonable standard to encourage. I'll update the post shortly.

Edit: Updated.


I like this post a lot!


Tom, just to be clear, your counterpoint to the original wording is "Recovery codes _should_ be mandatory", correct? Would you consider "Recovery codes should only be mandatory if a user has only configured a single second factor" to be a reasonable alternative?

I have multiple U2F keys configured on all of my important accounts. I'm comfortable enough in my belief that I won't lose _all_ of my keys to not want recovery codes to exist so I don't need to worry about storing them. This places me in the extreme minority of users to be certain, but I still don't want my security weakened by recovery codes that I won't ever use.


I'm ambivalent about the multiple factors case (unless one of the factors is SMS). My feeling (can't back up with evidence) is that most people who do that are savvy, but remember that part of the point of recovery codes (which are in fact a second factor) is to protect you from the service provider's account recovery flow. The more routine account recovery has to be, the less secure the service is likely to be.


Let's be clear though on who is at fault: this is way too hard to use correctly even at expert level. Users make mistakes because we are putting them at the controls of the 747 when they just wanted to send a spreadsheet to their colleague.


100% agreed. I've updated the post to soften the argument around recovery codes.


What? A constructive outcome? But my nerdfight!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: