undefined | Better HN

0 pointsnaniwaduni3y ago0 comments

While there are scenarios where 2FA can maintain security where a password is compromised, it's absolutely true that for a large swath of practical threat models, almost the entire benefit of 2FA comes in the form of assigning the shared secret instead of letting the user pick a weak and/or widely-reused password and the "having a second factor" bit doesn't really factor into the picture in any meaningful way.

0 comments

staticassertion3y ago

These weaknesses are implementation specific. FIDO2/U2F is unphishable, requires proof of presence, and is a significant security win over a strong password.

Wowfunhappy3y ago

Is PyPI requiring maintainers to use a hardware key? If not, I don’t understand how this policy is helpful.

Anyone who hadn’t already turned on 2FA is going to use the most frictionless so-called second factor they can.

1 more reply

naniwaduniOP3y ago

I'm not calling it a weakness. I'm saying that the alleged advantages of the 2F in 2FA don't normally matter to people who just want to their shit to work.

j / k navigate · click thread line to collapse