Hacker News new | past | comments | ask | show | jobs | submit login

It literally protects you from key loggers. Isn't that important?



In practice, no. Key loggers are a minuscule threat to account security compared to weak passwords and password reuse.

But lets say you are in fact a user that gets targeted by an adversary capable of deploying a key logger against you. Does TOTP protect you? No! If you are compromised to that point, the attacker is also in a position to just hijack your sessions.

There isn't a threat model out there that is trying to solve the problem of "my end user device has been compromised but I still want to be able to use it to access sensitive systems without those systems being compromised."


Token binding was the closest we had - still lets a compromised endpoint in the right position steal and use the tokens from that device, but it's at least not persistent.


Keyloggers may not threaten people who habitually use personal devices, but I can see them still looming large for those who rely on public computers, in libraries, schools, coworking spaces, etc. YMMV.


True




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: