undefined | Better HN

0 pointssome_furry4y ago0 comments

> Does anyone know if Twitch employees have two factor auth?

Yes, IIRC everyone at Amazon has a hardware security key (which is more secure than the standard mobile app TOTP most of us use everywhere online).

0 comments

ramesh314y ago

>(which is more secure than the standard mobile app TOTP most of us use everywhere online).

Is it though? The "wrench theory" applies here. It's not unthinkable that an employee was stalked on social media and had their key stolen.

bawolff4y ago

Its still more secure. Rubber hose cryptanalysis applies to both equally, but that doesn't mean there aren't other attacks that apply to totp which don't to yubikeys.

More secure != perfectly secure.

xmprt4y ago

With a phone you need my passcode to accept to 2FA request (assuming lock screen notifications are disabled). I think yubikeys can work without a passcode as long you plug it in right?

4 more replies

some_furryOP4y ago

Yes.

I don't know which protocols they use (obviously), but if they use WebAuthn, everything is public-key signatures. Even if you leak everything from the server, public keys buy you nothing.

https://webauthn.guide/

j / k navigate · click thread line to collapse