Hacker News new | past | comments | ask | show | jobs | submit login

It mitigates phishing and password reset attacks. It also means you can give access to some account to a friend or family over the phone one time, without giving them permanent access. Also good on non encrypted public wifi or in a company network with a proxy that sees and logs everything.

The real word is very unperfect.




It mitigates the simplest forms of phishing. If someone is running a proxy server[0] and passing everything along to the real website, token (or SMS) based 2fa can't do anything.

[0]https://breakdev.org/evilginx-2-next-generation-of-phishing-...


Hence "mitigates" and not "cancels"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: