undefined | Better HN

0 pointsmichaelmior6y ago0 comments

How so? An SSH key is a single factor. You could argue that a password-protected private key provides a second factor, but that still falls in the category of "something you know."

0 comments

will42746y ago

How many people can recite their SSH key? Surely an SSH key is "something you have".

wnevets6y ago

Having two different static passwords on an account isn't actually two different factors, whether you can recite them or not.

The fact that one time passwords expire and change is what makes them a different factor than a static password.

thaumasiotes6y ago

> The fact that one time passwords expire and change is what makes them a different factor than a static password.

If you're getting your 2FA code by SMS message or the like, this can be true.

If you're using TOTP (e.g. Google Authenticator), that's just as static as your other passwords. The TOTP code never expires nor changes. What changes is the code you're supposed to send over the wire.

1 more reply

thaumasiotes6y ago

A TOTP challenge is also "something you know", which is a really large portion of total "2FA".

j / k navigate · click thread line to collapse

0 comments

will42746y ago

How many people can recite their SSH key? Surely an SSH key is "something you have".

wnevets6y ago

Having two different static passwords on an account isn't actually two different factors, whether you can recite them or not.

The fact that one time passwords expire and change is what makes them a different factor than a static password.

thaumasiotes6y ago

> The fact that one time passwords expire and change is what makes them a different factor than a static password.

If you're getting your 2FA code by SMS message or the like, this can be true.

1 more reply

thaumasiotes6y ago

A TOTP challenge is also "something you know", which is a really large portion of total "2FA".

j / k navigate · click thread line to collapse