Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Using phone numbers for verification is just stupid. I've switched phones a few times over the years and just got a new number rather than keeping my old one and i got locked out of my accounts because i didn't have access to the old number anymore. Stuff like Authy and Google Authenticator exist, I think it's time companies started using them.


Even the US government uses it, such as for logging into your Social Security account.


I was shocked that login.gov even allows Yubikeys. Wish more banks would follow their lead.


Specifically login.gov implements WebAuthn.

So this should mean you can use the built-in biometric security of an iPhone or high end Android since those can also be used with WebAuthn in the built-in browser or with Firefox, or any security key, not just a Yubikey.

WebAuthn is easier (one tap login), it cannot be phished, it's privacy preserving, and yet somehow here we are in 2020 and most sites are like "Hmm, maybe we should add SMS 2FA?"


And what happens if you lose your Yubikey?


login.gov requires you to pick two second factors. So, either you had two Yubikeys (or I mention in a parallel sub-thread, any other type of FIDO Security Key or WebAuthn capable platform) or you had an entirely different second factor and that still works.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: