Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> A good website will ask for 2FA again if a user tries to do something destructive (like change password, email, or disable 2FA). They wouldn’t be able to do those things.

The page mocking the login page where you need to answer the 2FA will simply phish your 2FA then, after a little delay pretending there's some lag, would say "wrong code, please try again". Now the person enters a second 2FA (which, due to the delay, would be different than the first one).

As I've just commented in a top-level comment: I've seen sites using a 72 hours delay before any destructive change can be made, coupled with the sending of an email containing a link allowing to unilaterally prevent the change.

I've also seen sites using two 2FA (TOTP style), one for login, one for any setup/destructive change. And there are sites using both techniques.

It's not 100% foolproof but it's better than "one 2FA phished and it's game over".



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: