Hacker News new | past | comments | ask | show | jobs | submit login

SMS 2FA is fine. 2FA adds another layer on top of your password. The second factor doesn’t have to be particularly secure to make you safer.

The problem is SMS account recovery, which is a really bad idea.




> The problem is SMS account recovery, which is a really bad idea.

The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"


Companies do that, but they shouldn't call it 2FA at that point as it is no longer a _second_ factor: it has become the primary factor.


I'm not sure I've ever seen SMS account recovery.


Google has sms account recovery.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: