Hacker News new | past | comments | ask | show | jobs | submit login

Got an email from Heroku last night saying they're discontinuing SMS as a 2FA scheme... yay Heroku!



Yep. They've been planning that for awhile, hopefully a case of "leading by example". For me hardware keys (U2F) with TOTP as a backup are really essential. I've purged SMS where I can. Unfortunately, too many (like banks) have stopped at SMS and email as options -- and that only recently. My (insert name of wildly popular open source password manager here) vault is secured by U2F with TOTP as a fallback, and I use its TOTP feature to secure logins for less sensitive services. Someone mentioned building in delays for resets: that's actually how both the US IRS and Social Security roll. Last time I reset SSA I had to wait for a physical letter with further instructions. Inconvenient, but probably a step in the right direction. If government intel agencies weren't so uptight about crypto, we could all have our own officially issued crypto keys by now. But no. The prols can't be trusted -- and don't deserve it anyway.


For whatever it's worth, the US government has shown itself to be spectacularly bad at keeping secrets (proof left as an exercise for the reader).


Making existing accounts less secure by removing a second factor is not “leading by example” in my book. Just make me pick a different second factor on my next sign-in.


Not sure if the yay is sarcasm. Heroku will remove existing SMS as second factor from all accounts, effectively making those accounts less secure. Yay Heroku! (Sarcasm intended)


No sarcasm intended at all on my part -- I think this is a very good move.

SMS is very bad as a 2FA, in that someone can fairly easily social-engineer your phone company to send them a new SIM card for your account, and once it's in their phone, all your SMS messages go to them. They now have control of your "protected" account (and yeah, they have to get your password as well, but if you're a big enough target, it's worth it).

This is why getting rid of SMS entirely as a 2FA is seen as an improvement in security.


Removing 2FA from existing accounts is never an improvement in security. As other replies on this post have noted, having SMS as 2FA is always better than not having 2FA. Heroku is actively harming their user's security by removing 2FA from user's accounts. Some users will not set up a new 2FA method on their account, leaving their account vulnerable to password attacks.


Unless they are requiring everyone to use 2FA, isn't that objectively worse than having the option of SMS 2FA? I'm sure there are a significant number of people who would just switch back to using a password instead of SMS 2FA rather than having to get a non-SMS second factor, since it is much less convenient than just putting in a phone number.


Well... I think that if they don't require 2FA, then, well, they don't require 2FA, and not having SMS is neither worse nor better.

If they do require it, then I believe the consensus is that 2FA via SMS is a very bad choice. And since Google Authenticator (and other such apps) are free to download and use, it's not really a burden.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: