undefined | Better HN

0 pointsjwilk4y ago0 comments

Recovery codes are generated by the server, so:

• there's no temptation for the user to use them on another website, where they could leak

• the server can ensure they are high-entropy (although AFAICS GitHub's recovery codes are only 40-bit…)

Moreover, if someone takes over your e-mail account, they can reset your password; but they can't reset the recovery codes.

0 comments

3 comments · 1 top-level

skrebbel4y ago· 2 in thread

If this is all though, then couldn't we just use username+password auth but have the server generate the password? Why at the phone to the loop at all?

dane-pgp4y ago

Are you saying that iPhone-maker Apple and Android-maker Google (and TPM-mandator Microsoft) might not be able to imagine a future where the whole world isn't dependent on them for identity?

skrebbel4y ago

No, I am not suggesting that 2FA is a secret ploy by BigCos to make them needlessly important. It's perfectly possible to log into services without using your Google/Apple/Microsoft identity, even if they insist on 2FA. Use the email and SMS, Luke!

j / k navigate · click thread line to collapse