Hacker News new | past | comments | ask | show | jobs | submit login

I believe Google has some kind of service you can turn on where you will pair it with a U2F token like a Yubikey or their Titan key. At that point, all other forms of login and password recovery are turned off. In theory, that should stop the SIM-swap attack.

See: https://support.google.com/accounts/answer/7539956?hl=en




I use Authenticator, which should also stop a SIM-swap. However, I've noticed that many services seem to require activating 2FA via text message in order to activate authenticator. Has anyone else noticed that?


Quite a few do require you to have at least two second-factor methods set up, although I think for me only one has ever insisted on setting up phone / text 2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-based might be all you can use (considering a surprisingly small number of 2FA supporting sites seem to implement recovery codes).


The point is that, while there are dangers, TXT 2FA is leagues better than not having anything at all.


Unfortunately, Yubikey at least basically only works in Google Chrome, so if you actually want to use your account you have to use methods other than the Yubikey.


You can use it in any browser. You have to register it in chrome. Crappy, but not a line in the sand I'm willing to die on.


Conventionally, one metaphorically chooses a _hill_ to die on, and lines in the sand are only crossed or redrawn, not died on.

The insistence on using Chrome is arbitrary and I don't like it. The use of U2F rather than WebAuthn at least has a technical justification (older Android devices can't do WebAuthn, and while it's backward compatible in the sense that you can use a WebAuthn authentication having signed up with U2F, vice versa is not possible, so old Android devices would have a confusing UX behaviour) but the insistence on Chrome is just arbitrary lock-in.

I won't be dying on that hill either, but it does suck.


> The insistence on using Chrome is arbitrary and I don't like it.

Supposedly this limitation is because Firefox doesn't implement the JavaScript calls that permit a U2F-calling site to know the type of U2F key being used and Google wants to enforce, when enrolling for ATP, that at least one of the two keys being enrolled can be used wirelessly (Bluetooth or NFC).

I don't agree with it either but will only truly be mad if/when Mozilla implements the requisite call and Google still blocks enrollment without Chrome.


You'd think Ubuntu chromium-browser might be acceptable for Google U2F setup -- but no, not when I tried a couple of months ago.


Worked for me. :(

What error did you see?


Ha! That was an amusing mix of phrases. You got what I meant though, and provided some color. Agreed on it sucking.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: