Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They can switch to display the right one when you enter your email address, they already do this. And of course indeed it doesn’t work with methods like sms and emailing codes, both of which are not secure anyway.


> They can switch to display the right one when you enter your email address, they already do this

So the effect here is this gives bad guys a free targeting feature. Just type in any email addresses and Microsoft will tell you which 2FA is enabled if any.

> And of course indeed it doesn’t work with methods like sms and emailing codes

So, it doesn't help at all for the good case, and it breaks the bad case worse, what was the goal again?


Sorry, but if you think emailing codes is the good case you’re beyond help.


WebAuthn is the good case, which is the case you didn't break since it doesn't care about any of this. And you made the bad cases worse. So good news I guess, "At least Microsoft aren't as bad at this as tinus_hn".


Ah, so you just don’t get it. That’s fine. Other people will improve things along the way.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: