Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Surely if you're designing a 2-factor authentication system, a compromised password is the exact case you're designing for, not an edge case.


Let me clarify...you're designing against complete takeover of an account, which without 2-factor authentication, can be done with just the password.

Now the other part of the equation: a security system has to be designed against real-world practicalities...In this case, where does the main risk come from? Mass-anonymous attacks, such as phishing or a database compromise ...now unless phone-numbers can be mass-acquired via knowing a bunch of passwords (can the installing of the Twitter app for iPhone and clicking the "send to phone" link be automated?)...it now becomes a lot of work to take that extra step...and when you've completed it...you still can't break into the Twitter account...How many phishers are stealing passwords just so they can learn a bunch of people's phone numbers? The ones that have that strategy...well, keep on doing that, because that's way more work than other channels for mass-gathering phone numbers.

Now, if the retort is, "well, there may be someone who an attacker REALLY wants to compromise, and the phone number is one more piece of the puzzle."...Then that's a different ballgame. Now you have an attacker who is not drive-by-random phishing, but is going after one person, and going after that one person hard.

So the situation where a victim gives an antagonist (say, the FBI, or NSA, or whoever you are investigating) their password...again, that is most definitely an edge case. And it requires a different systems design (by design, I mean, the details fallback procedures for cases when a user loses their phone and needs to recover it, and so forth).

I can see advantages for Twitter to show the phone number to someone who knows an email and the actual password: you may be someone with multiple phones, or have forgotten that your 2-factor-auth is assigned to a different phone/Google Voice...showing the phone number mitigates the confusion of the user who's wondering when the hell the code is coming, when in fact, the code may never come to the expected phone number.

So, how frequent is that situation compared to one where a user announces his password to the whole world? I'm guessing, quite frequent.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: