undefined | Better HN

0 pointsIncRnd3y ago0 comments

Password logins are 1-factor, while password logins that use phone verification are 2-factor. In what cases does the security from 1-factor exceed the security from 2-factors?

0 comments

3 comments · 2 top-level

eimrine3y ago· 1 in thread

> In what cases does the security from 1-factor exceed the security from 2-factors?

1. If you consider the loss of a phone number to be a more likely event than a forgotten password (non-obvious example - if you have no extra money to keep the phone number working).

2. If some powerful contractors can capture the data coming to your phone.

3. Also, if there is some kind of banhammer (Google is famous for banning for no reason) in the "2-factor" and no banhammer in the 1-factor (Bitcoin has no third-parties who might steal or freeze your funds), then your chance of encountering a banhammer in your face is infinitely greater in the first case.

More than 1 factor creates more problems than usefullness tbh if you are enough responsible for never lose your credentials.

IncRndOP3y ago

> 1. If you consider the loss of a phone number to be a more likely event than a forgotten password (non-obvious example - if you have no extra money to keep the phone number working).

That's silly. If you lost your phone number, why would you attempt to log into a service and have it text or call your lost phone number? The provider in question here (along with many others), Google, provides backup codes for this situation. Besides, if you are more likely to constantly lose phone numbers, it's best not to use those for authentication/authorization.

> 2. If some powerful contractors can capture the data coming to your phone.

That doesn't matter to 2-factor. That "powerful contractor" would be in possession of a time-bound pin that can only be used by the device and account that had just had the credentials entered. It is useless to anyone else.

> 3. Also, if there is some kind of banhammer (Google is famous for banning for no reason) in the "2-factor" and no banhammer in the 1-factor (Bitcoin has no third-parties who might steal or freeze your funds), then your chance of encountering a banhammer in your face is infinitely greater in the first case.

This also doesn't apply. Google provides backup codes that can be used in such a case. As do digital ocean and others...

> More than 1 factor creates more problems than usefullness tbh if you are enough responsible for never lose your credentials.

Except that isn't true. I noticed that you placed 2-factor in quotes, showing that you likely do not understand 2-factor is formed from any two out of the three possible security factors. There is also 1.5 factor authentication, which is acceptable to put in quotes, since it is pseudo-2factor.

What you know. What you have. What you are.

> (Bitcoin has no third-parties who might steal or freeze your funds)

I'm not sure your comment was serious... Bitcoin and the entire crypto ecosystem are full of third-parties who steal or freeze funds.

LightHugger3y ago

Phone verification is 1-factor in most implementations on every popular website. It's just that the factor is now your phone, and your password can be changed with your phone number. Your password might as well not exist. The problem with phone verification is that phones are less secure than passwords. This isn't even a 1 factor vs 2 factor discussion. Again, Phone verification is 1 factor.

To be more specific, if the implementation of 2 factors requires both factors, then it is indeed more secure. If it's a form of 2 factor that requires only one factor, it's less secure, because now you have more attack surface.

j / k navigate · click thread line to collapse