Ask HN: When is 2FA not enough?
I've noticed more and more sites ask you to log in with a username and password, then either answer a "secret" question or type in a 2FA token, AND THEN - in addition - "verify" your device. That's usually done by texting or emailing you a PIN that you type into the site.
I was under the impression that username + password + 2FA token was sufficient for anything public. What am I missing?
5 comments
[ 3.1 ms ] story [ 37.7 ms ] threadIt also helps a bit with fraud (users who create multiple accounts) because it's usually harder to come up with several working mobile phone number. I say usually because professional fraudsters will find a way around that hurdle.
Undercover Boss Star Killer Base Edition https://youtu.be/FaOSCASqLsE?t=3m48s
2FA is a weak link, it's been proven it's easy to social engineer access to your phone account/number. Once someone has your phone they will receive all your 2FA notifications and once they can reset your email password with it they have the keys to the castle.
Plus if you lose your phone, then you're locked out, without your printable one time use keys, that you probably didn't print.
There has to be something better.