top | item 39360936

(no title)

Two ways:

- a Yubikey - a sparingly used email account with no 2FA, just a very long password

2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.

2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.

Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.

discuss

jorvi|2 years ago

> 2FA is very useful, but highly overrated.

What a bizarre statement. It protects you from any password leak.

If you have 2FA, even if you get keylogged or phished or breached or shoulder peeked, your intruder still does not gain access.

vanilla_nut|2 years ago

Sorry, but my Article and Walmart.com accounts do not need 2FA. I'm fine with OTP, but most places use SMS 2FA, which exposes a unique identifier for myself and -- due to SIM swapping, which is a risk on literally every major carrier due to horrible customer service operations -- often makes it easier for a malicious actor to hijack my account.

You're generally correct, though: GOOD 2FA is not overrated and I would welcome it on any account. But it's obnoxious that almost every account I have uses SMS as a singular point of failure. I'd welcome a move back to email 2FA with a backup email for account recovery.

ckcheng|2 years ago

Apparently MFA in practice mainly protects against credential stuffing:

https://hn.algolia.com/?dateEnd=1705017600&dateRange=custom&...

lambence|2 years ago

Small side tangent - I’m on Mint Mobile and enabled 2FA for my account there, which is required for all customer calls. This would stop SIM swapping attacks which are the main failure point for SMS 2FA, right?

jabroni_salad|2 years ago

that depends entirely on Mint's 'lost 2fa' recovery process.

https://www.reddit.com/r/mintmobile/comments/104h7p2/locked_...

seems like some senior CSRs can still get you bypassed.

TurningCanadian|2 years ago

Passwords don't protect against spoofed login pages.

cwbriscoe|2 years ago

Yeah, if you type your password in manually. Password managers protect against spoofed pages though.