Hacker News new | past | comments | ask | show | jobs | submit login

Maybe 'requires' is too strong a word. It's hardly mandatory, but I'd argue you should invalidate a lost or stolen seed for the same reason you should reset a lost or stolen password.

Of course it is not possible to access something protected by MFA if you only have one factor. But I don't think it follows that making it easy for an attacker to obtain a factor since you have two is OK; the whole point of MFA is that single factors are too easy to guess or steal. Solutions that encourage seed export and sharing make it easier to steal the seed, and leaving a seed active if a device it's on has been lost or stolen is like saying you don't care.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: