SMS as a *second* factor is not a net reduction in security. The ability to hija... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

JoshTriplett on Feb 4, 2019 | parent | context | favorite | on: Two-factor auth with public-key cryptography

SMS as a second factor is not a net reduction in security. The ability to hijack a phone via number porting or similar could give access to SMS messages, but by definition a second factor should never reduce your security.

What does reduces security is the use of SMS as a password reset mechanism, or any similar method that uses SMS as the only factor for authentication. Don't do that.

def_true_false on Feb 5, 2019 [–]

It gives users a false sense of security and providers an excuse not to implement something better. Most (all?) of those who only support SMS 2FA also get the part about no resets wrong.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact