Hacker News new | past | comments | ask | show | jobs | submit login

I think it's because I'm tired, but I'm not following.

I login to $app with my password. $app bounces me to SMS. I then go back to $app with the SMS code.

So I needed my password with $app and the code from the SMS.




In the article, it looks like the code via SMS was never required. Uber sent it out, then allowed a login without it. I've seen something like this before, where companies over two factor auth via SMS, but also allow SMS as a password reset channel - which means it's not two factor anymore.'

But in general, you're right. The problem with SMS as a second factor isn't that it's not two-factor, it's the ease of compromising both factors at once. Hijacking phone numbers is disturbingly easy, and smartphones mean that you can steal one physical token and get both email access (for password reset) and SMS access (for the code).


I got the impression there was no password input. It's getting way too common to do phone based verification, and authenticate new phones by SMS codes.

If it asked for the password (does Uber use passwords at all?) then yes, I was just saying dumb things; please ignore.


If your Android phone is infected then 2FA effectively becomes single factor that is under attacker's control.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: