Ask HN: When is 2FA not enough?

3 points by Domenic_S ↗ HN
I've noticed more and more sites ask you to log in with a username and password, then either answer a "secret" question or type in a 2FA token, AND THEN - in addition - "verify" your device. That's usually done by texting or emailing you a PIN that you type into the site.

I was under the impression that username + password + 2FA token was sufficient for anything public. What am I missing?

5 comments

[ 3.1 ms ] story [ 37.7 ms ] thread
What is an example of a site that does this?
Verizon was the annoyance that sparked my question.
Texting or emailing is to make sure they can contact you in the future. Be it for support or up-selling.

It also helps a bit with fraud (users who create multiple accounts) because it's usually harder to come up with several working mobile phone number. I say usually because professional fraudsters will find a way around that hurdle.

In this case it was Verizon, who for sure knows my phone number ;)
Dude 2FA straight up sucks!

Undercover Boss Star Killer Base Edition https://youtu.be/FaOSCASqLsE?t=3m48s

2FA is a weak link, it's been proven it's easy to social engineer access to your phone account/number. Once someone has your phone they will receive all your 2FA notifications and once they can reset your email password with it they have the keys to the castle.

Plus if you lose your phone, then you're locked out, without your printable one time use keys, that you probably didn't print.

There has to be something better.