undefined | Better HN

0 pointsrobbya6y ago0 comments

> Imagine someone in a domestic abuse situation

Depending on how abusive you are thinking, that sounds like rubber hose cryptanalysis. That's a hugely powerful approach and I think all 2FA can be bypassed with that, if not most of modern cryptography.

https://en.m.wikipedia.org/wiki/Rubber-hose_cryptanalysis

> having their phone taken

Keep in mind that other 2FA methods also are phone based, like TOTP / Google Authenticator. Those also fail if your unlocked phone is taken. SMS is even weaker than those, but still better as a second factor versus nothing.

0 comments

colechristensen6y ago

It is, in many ways, a worse vulnerability than rubber-hose cryptanalysis. When you run away from the person with the hose, you can change your passwords and they won't be compromised any more.

If somebody has your phone, a physical address associated with you, and some basic biographical information, they can continue recovering access to your accounts in a way which is difficult to escape, especially because of the misplaced trust in using phone numbers for security.

The threat in that situation is being vulnerable and having to digitally escape as well as physically escape, and if you don't do both simultaneously you can be continuously compromised in a way which is very difficult to succeed.

j / k navigate · click thread line to collapse