Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm currently fighting against management dragging their feet on using 2FA.

On HIPAA PHI.

(I know HIPAA doesn't actually mandate 2FA, but it's recommended by many best practices and guides.)

Apparently some tech folks don't like the inconvenience of 2FA.



DoD contractors are now required to have 2FA.

https://duo.com/blog/federal-contractors-must-meet-cybersecu...


Maybe not a popular or shared opinion (so nobody take this as advice), but IMO 2FA (especially phone-based) is overrated while being a serious inconvenience to users and developers.

Many of the recent attacks I've seen simply bypass it altogether in favor of phishing or other traditional techniques.

Clients (Ansible?) simply don't work with it or do it well, which leads to hacks that undermine your 2FA deployment anyway-- rogue admins opening reverse tunnels to allow file transfers, webshells, etc.


2FA freaks me out. It means I'll be locked out of all my key accounts and services if ever my phone breaks or gets lost. Probably right when I need these services most.


That’s why they usually have backup keys that you physically keep in a safe place.


That sounds decent but I've not seen this a lot. Its often just "give us your phone number and we'll SMS you an access key when you log in"


Unfortunately I see this all too often on systems that have enabled 2FA but not TOTP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: