Hacker News new | past | comments | ask | show | jobs | submit login

It's not just emerging markets. Many people are not capable of setting up authenticator apps, not everyone is a "techy" and not everyone is smart. Those people use the internet too.

SMS token is something that is much easier to use. 2FA with SMS is still a lot of added security in comparison to no second factor at all. Especially for people who use insecure passwords.




> Many people are not capable of setting up authenticator apps, not everyone is a "techy" and not everyone is smart.

That might be true but on the other hand most companies using Teams etc. will be introducing 2FA with the MS Authenticator App. Techie or not, you need to install an app and scan a QR code.


Once again, not every person using the internet is working for a company.

If you don't know anyone that will just laugh at you when you tell them "it's super easy, you just need to install an app and scan a QR code", then you're living inside a bubble. Every year at my mums birthday party her friends already queue up in front of me, so I can install some apps for them.


Are they too stupid (I don't mean that in a condescending way) or just too lazy? I know several elder people (75 to 85 years old) that have no problem installing apps on iPhones. On the other hand I know others that "play dumb" but I think it's mostly an issue of fear.


It doesn't "add" security, it "adds" an account takeover path.


How is a second factor adding an "account takeover path"? You're not seriously saying that adding a second factor is reducing security?

We can agree that password reset via SMS token is bad. It basically reduces everything to one factor login via SMS.


I agree with you, SMS as implemented almost everywhere* is bad, adding an account takeover path (the reset by SMS) with insufficient value-add to offset that 100% guaranteed (see research I linked elsewhere in thread) path to account takeover.

And as to "You're not seriously saying that adding a second factor is reducing security?" -- yes I am, when it's not a second factor, it's implemented as an "only factor".

To that point, btw, I'd linked to your other reply about resets from a couple of mine: https://news.ycombinator.com/item?id=39467039

* Note: And by "as implemented almost everywhere", I mean so indistinguishable from everywhere that that effectively boils down to "SMS is bad", much easier for users and builders to understand, when better options are available.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: