Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Please do not allow people to call SMS 2FA. For it to be 2FA, it must be: something I know alone, something I possess alone, something I am alone. Otherwise, it's just another account identifier (and likely spoof-able). SMS and phone numbers are none of these.

In same vein, I wish security questions would die in a fire. Always treat them like additional passwords: use nonsensical words and store them in your password manager.



Don't forget to change your birthday, mother's maiden name, fingerprint, and face regularly.


Exactly. "Things I own alone" are no good as passwords, if they cannot be changed. They are account identifiers only.

And if a password has sufficient entropy (not likely to ever be duplicated) then the account identifier is pointless. Just use the password as sufficient authentication.


personally i do change my birthday and mother's maiden name for every service i sign up for.

i make up random answers and write them down in the notes of my password manager. i always try and recommend others do the same.


Be careful with nonsense in those security question answers. I've hear many are plain text and if you tell the rep, "it is just nonsense," they can say "yup, sounds good."


> Always treat them like additional passwords: use nonsensical words and store them in your password manager.

I wish password managers would make this easier.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: