Hacker News new | past | comments | ask | show | jobs | submit login

This isn't quite true. 2FA still protects you from password breaches (and weak passwords, though you shouldn't have those if you're using a password manager).

Also, keeping 2FA codes in a syncable password manager is a huge boon for people who ever break/lose phones. Can't tell you how many people get locked out of their accounts because they lose their 2FA codes.

As an alternative, companies have to have a 2FA-reset process. The fact that such a system exists weakens the entire system, which is too bad.




TOTP-based 2FA wouldn't protect you against a password breach, since the breach would most likely include the TOTP seed alongside any password hashes.

WebAuthn-based 2FA would; but AFAIK there isn't really a way to store WebAuthn keys in password managers at the moment.


I was curious about that, so I looked into it; KeePassXC is having some mixed messages about it:

https://github.com/keepassxreboot/keepassxc/issues/1870 says "awesome!"

https://github.com/keepassxreboot/keepassxc/issues/1996 says "go away"

and I can't figure out what is going on with https://github.com/keepassxreboot/keepassxc/issues/3560

They reference https://github.com/kryptco/kr-u2f in one of the issues, but it was bought by Akamai and the code was never under an open source license to begin with :-(




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: