Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> may I suggest spending a couple of days volunteering for a local Victim Support charity.

Please try being less condescending.

Losing the keys, due to whatever reason, means losing one factor. If the user loses the key, the "mugger" still needs to get the users' passwords.

2FA = something you know + something you own. Having one factor compromised should not compromise your accounts if the service you are using is configured correctly.



> 2FA = something you know + something you own.

That's not exactly correct. Another factor is something you are, such as a fingerprint or eye. There are three classes of factors from which drawing any two is called 2FA.

There is also a 1.5 factor auth, used for example by many banks, in which there is a server challenge for the very vulnerability stated in the article.


What’s the second factor with yubikey? The site seems to say it’s passwordless.


A yubikey doesn't replace a password.


Oh, it seemed like that was what this site was saying:

https://www.yubico.com/solutions/passwordless/




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: