Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Also, I'm a big fan of U2F keys including Yubikeys.

I don't use SMS, deprecated it 10 years ago in favor of e-mail, and would never use SMS for 2FA. I still have a virtual SMS number that forwards to my e-mail for the idiot sites that still insist on it.

For most people, SMS is hackable, tied to a single battery-powered device, easy to steal (after which for most people in the default phone configuration the SMS verification codes will happily pop-up on the lock screen without unlocking the phone), and hugely inconvenient if you are in front of a desktop computer all day and have to go find your phone (at home for example I pretty much never have my phone next to me). SMS also famously locks people out of their accounts when they go to another country and have to use a different SIM card. Also, if you have a giant desktop in front of you, it's ridiculous to not use that as your 2FA device. You should NEVER have to pick up a 6" handheld device for 2FA when you have a massive immobile, hard-to-steal device in front of you that in my case is also physically locked down to furniture.

Yubikeys and other U2F keys do exactly this.

The article is wrong about one thing:

"But if you’ve stolen my laptop and the YubiKey is plugged in, then you’ve got the keys to my kingdom."

No. My preferred way to use Yubikeys is to buy one for each immobile device (home/office desktops) that stays plugged in, and ONE mobile key that lives in my wallet. Register all keys with critical services. If any device gets stolen (highly unlikely for the immobile devices, the mobile device is the only one I need to worry about really), go home, log in with another key and remotely disable it.

My main gripe is websites that don't allow multiple Yubikeys. AWS is at the top of my hall of shame.



> I still have a virtual SMS number that forwards to my e-mail for the idiot sites that still insist on it.

Really? How? Last time I tried to do this it turned out that apps/sites would not send to these virtual SMS numbers.


A. Don't use Google Voice

B. Find a different virtual SMS number. Try other countries as well. Sometimes it costs a small monthly fee but I don't want to give in to their idiotic game.


I would love to be a fan of Yubikeys, in fact most people would say I _am_ a fan of Yubikeys, I think I have like 10 of them (due to product evolution and always buying a few when I buy one).

Unfortunately most of the sites I use do not have anything to do with them.


Have you tried using the Yubico Authenticator? It usually solves the problem for the sites that don't support U2F, such as PayPal, Coinbase, Gusto, and others.


I haven't, I'll give it a shot with PayPal, that's definitely interesting to me.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: