Ask HN: What are the alternatives to phone authentication?

16 points by JLCarveth ↗ HN
Recently my phone screen broke. Not cracked or shattered mind you, it won't turn on at all. At first, this didn't seem like a huge problem; I already have a new phone on order and it should be here in a few days.

However, as I am trying to sign on to my email and various services, I am realizing how difficult it is to access any of my accounts. Pretty much every service I am using wants me to use my phone to verify my identity.

For example, Google gives me three options after I login (I logged in with the password to the account...): - Tap 'Yes' on your phone or tablet - Use your phone or tablet to get a security code - Get a verification code (at my phone number)

All three of these options require me to posses my phone and have it be in working order. After all these years, is this really the only way companies can verify my identity? I don't like this single point of failure.

Edit: Also of note, I have a secondary email address attached to that first Google account, but they don't give me an option to verify my identity using that secondary email. So why have that secondary email there at all?

21 comments

[ 0.22 ms ] story [ 64.2 ms ] thread
Sometimes you learn the hard way. I try to use a Yubikey on as many services as possible, and when a service doesn't support U2F/Yubikeys, I resort to TOTP using the Google Authenticator app. I also backup the QR code seed image used to respawn the TOTP challenge response.

I also make sure to grab any recovery code offered by the service so I can get back in, if my phone (which has the authenticator app on it) gets lost/stolen/damaged, or I lose my Yubikey.

Google requires a phone number to register, but you can turn on U2F or TOTP 2FA and it won't ask for your number next time you login, and requires a Yubikey/TOTP instead.

Google already lets you use things like YubiKeys as your second factor instead of your phone. What other options would you like them to give you? Or are you advocating against 2FA?
Can you create a new google account with only a yubikey? (And never have to provide one for verification purposes)

Genuinely asking as I don't know.

I don't know either, but isn't this post about logging into an existing account, not creating a new one?
They're asking a question, not redefining the thread :)
Use OTP via "Google Authenticator". But instead of using google authenticator, use Authy, which is a similar app, but syncs the OTP seeds across many devices, so you can use any device you own.
This sounds like exactly what I need. Thank you!
If you don't want to download a separate app just for OTP codes, many password managers (like 1Password, which I use) can also store and sync OTP URLs/seeds, and can fill in auth codes like this along with your password. Highly convenient!
If the password manager is then not forcing 2FA, wouldn't this defeat the security gains from going two-factor?
> I don't like this single point of failure.

Honestly, this causes me much uncertainty in regards to something like Google Authenticator or other TOTP solutions (not exactly what the post is about, but very adjacent when you start considering the points of failure).

I mean, Google's solution in particular has a "Transfer accounts" option that lets you use QR codes for a backup, but that still feels somewhat worse than having desktop software as well like KeePass and some password/biometrics protected database file like .kdbx that I could open on my phones, tablets, computers etc.

Apparently the closest you can get on the desktop is Authy, which is a TOTP client that runs on multiple platforms: https://authy.com/download/

There was also WinAuth, but it seemingly isn't updated anymore, at least since 2018: https://github.com/winauth/winauth

To me, software like that feels infinitely more portable and more suited for backups, versus some vendored device like YubiKey which costs close to what a new Android device might cost, making it less affordable to many.

But in regards to Google and other platforms that have their own opinions about how to handle logging in and their bespoke multi factor implementations? There's even less chance of something portable being viable.

TOTP is an open standard, as you noted, you can just keep and exported file of the seeds and store them in an encrypted back up file, and import them into and TOTP app on any platform.

Services like authy make it difficult to export your seeds however, so it’s not a great option.

I don't like it either. It's so vulnerable to theft, damage, unreliable mobile network providers, SIM fraud, government surveillance, and who knows what else.

A security stackexchange discussion seemed rather divided over whether SMS/TOTP on mobile is "two factor" or "two step." If it's "two step," I wonder why it can't just be any two things I know. Like the good old security questions or a second email address.

Should be a choice at least so we can say this much security is more than enough for me because your idea of more security doesn't actually seem more secure to me in the real world of negligent policing and unprofessional companies.

Reading all this discussion, I am made acutely aware of the many times I would want to login to my AppleID page only to have Apple send a prompt to registered iOS devices (or SMS). I think they're the only ones who don't follow any form of TOTP
Funnily enough, Apple's services is the only place I've been able to just not answer my security questions and yet still access my email.
TOTP, WebAuthn (previously U2F)
I've used my email to recover my bride's account on occasion, and she's done the same for her sister.

Well, they could send a card through the mail to your home or office with as long a validation string as they like.

This is what some services in Germany do. All banks of course, but also my health insurance too. Also some parking app did it. This works well because the post is reliable, but has the disadvantage of being quite async. Also not entirely safe - I’ve had instances when the postman found me loitering in front of the house and just handed me my correspondence
For google:

U2F/WebAuthn

paper backup codes (scratch codes)

If only the screen is broken, but the phone can receive SMS, and you use mac with icloud, you can receive SMS on your mac.

Phone call or SMS to a "real" VOIP number, which you can then pickup on ANY phone and/or your computer. Google Voice isn't real enough for this.

You can also not use 2FA.

For other services: hit or miss. To the extent you can login to them with oauth ("login with google") and you don't mind giving away your identity that way (sounds like you don't care much), then always do that.

1) you don't have another password/account to manage

2) your google oauth login will stay valid for quite a long time, giving you lots of cushion to get a new phone, unless you're especially unlucky with the timing