Hacker News new | past | comments | ask | show | jobs | submit login

> In which case there are much safer recovery mechanisms available. For example, a second U2F token, or handwritten backup codes.

Which have either higher costs or "administrative burden" or both which will lead them to failure for a big chunk of non tech-savvy people. Educating a casual user that they need to print out recovery codes and store them in a safe place it's not exactly top notch usability.




> Educating a casual user that they need to print out recovery codes and store them in a safe place it's not exactly top notch usability.

So then have two U2F tokens. Or use your phone's TPM as a U2F token. The usability of phone-based U2F is quite good.


A phone's TPM is the only U2F token that 99% of the world owns, assuming they own one at all.


Yes, as I've said, availability is the problem to solve. We should be shipping U2F tokens wherever we can. I'd like to see schools that require students to use GSuite and other U2F supporting sites giving students tokens for free. I'd like to see banks giving their customers tokens. I'd like to see companies giving them to employees.

IMO the problem is not "let's get some kind of 2FA" it's "let's get U2F in the hands of as many people as we can".


Most people don't own two phones though, and wouldn't think to have two separate U2F tokens.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: