Hacker News new | past | comments | ask | show | jobs | submit login

Does anyone know why services like Google Authenticator were ditched industry wide in favor of SMS codes? It has never made any sense to me.

Feels like the industry needs to push for a dedicated, universal, probably physical, tool for 2FA.




They have it, it’s called FIDO2, and it even works with existing devices such as Touch ID or Windows Hello in common browsers such as Chrome. Even Google doesn’t promote Google Authenticator now, but they keep it around for legacy reasons because it still works, until you lose your phone. That’s where FIDO2 shines: just authenticate more than one device, including purchased hardware tokens if you want something cheaper than a phone, and you’ll always have at least one device with access, somewhere.


My biggest issue with FIDO is that it is tied to a hardware device. So if I ever lose it it is a huge pain. So you need at least 2 (so only one can be your laptop with fingerprint or face recognition) and if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them.


> if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them

This is perhaps why FIDO2 works best when combined with single-sign-on systems, such as those promoted by large email providers, etc. Fewer accounts to have to manage 2FA devices for, and a greater chance that you've already signed in and authenticated your devices with all of them.

Personally, though, I use a password manager, and have some (but not all) sites tagged as 2FA in the password manager. So if and when it's time to add another key, I can just go down the list. Not as convenient as SSO-based 2FA, but sometimes you really don't want to sign in with Facebook, say. :)


can FIDO2 be implemented for day-to-day use right now, such as email access? sms 2FA and authenticator are built-in to most applications, so it makes it easy to use.

and how do you do estate planning? I'd like to give my family access to all of my private keys for everything when I pass.


It’s built in to Safari, Chrome, Edge and other browsers, apps can easily integrate with system libraries for Windows Hello or Touch ID as they would anyway.

As for estate planning, set up a spare key that you can keep at a relative’s place, or add others’ accounts to your “Family” in Google/Microsoft/Apple/etc. Either they have their own keys and the company is aware of the handover or they have a copy of yours — such as you logging in on their device or keeping a FIDO2 key at their house and they can pretend to be you. A service like 1Password Family could also be of use here.


Yes, on shit tons of major services.

Register multiple/duplicate keys.


> , until you lose your phone.

Just like any other password or data, 2fa strings also need to be backed up, like in a password database (separate from the usual one).


True, but last I checked, Google Authenticator and other similar apps (except maybe Authy or password managers) would refuse to upload or backup keys to iCloud Backups for odd reasons. Presumably they wanted the same sort of identity properties that something like Touch ID has, and thus would be solved by having more than one ID.

Unfortunately most people have only one phone, so that didn’t work until options came along where you could add more than one token/device instead as backup.


Oh no, the string and/or QR code should be backed up when one is setting up the 2FA.

If you have that seed phrase, & any device with correct time can calculate the TOTP code, even a simple local javascript app.

Obviously that phrase leaked would mean hacker can also generate codes. So that's why those phrases should be kept extra safe, away from normal passwords.


HN died on me before I was able to add the link of little utility I cooked to readd those totp seed phrases: https://spa.bydav.in/otp.html


> Does anyone know why services like Google Authenticator were ditched industry wide in favor of SMS codes? It has never made any sense to me.

This is not the case in my experience. Many apps that once used Authenticator-based TOTP now use app-based push alerts (Steam Authenticator, Blizzard Authenticator, Google->GMail App, etc.), but I haven't noticed a trend toward actual SMS.

Are there major orgs that switched to SMS 2FA and disabled authenticator apps? If so, I'd be interested in learning why, also.


The shit part is I now need 50 apps on my phone to use stuff. I don't want the steam app, I have no use for it. But features of my steam account are now limited because I don't use the app.


Service providers that are very behind the curve (e.g. banks, brokerages) started providing SMS-only 2FA years after internet companies started with TOTP. That could create the perception of a shift towards SMS.


SMS isn't about protecting your account from hackers, it's about protecting the service from bots. You'll notice if you have a VOIP account that the number can't be used to set up something like a GMail account, it requires an honest to god phone number, something you presumably paid money for. If you try to sign up a hundred accounts using one number you can be assured that it will cut you off very quickly. This is true of all major services.

This is also why they won't let you set up a good 2 factor authentication system (like a Yubikey) they'll force you to first set up a SMS 2 factor. It's very important to remember to delete that SMS second factor after setting up your good second factor or social engineers will use it to steal your account.


I think it's more that companies who did not previously offer 2FA, are offering only SMS-based 2FA. Not that companies who previously offered TOTP 2FA are now only offering SMS-based 2FA.


Ubiquity: almost everyone has a cell phone. They’re nearly required for all but the richest people.

Simplicity: nearly everybody understands how texting works.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: