undefined | Better HN

0 pointsRaisingSpear1y ago0 comments

But password managers typically don't send keyboard commands to fill in a password, so a physical device would be useless.

> There are plenty of scenarios where MFA is more secure than just a strong password.

And how realistic are they? Or are they just highly specific scenarios where all the stars must align, and are almost never going to happen?

0 comments

mr_mitm1y ago

I don't think phishing is such an obscure scenario.

The point is also that you as an individual can make choices and assess risk. As a large service provider, you will always have people who reuse passwords, store them unencrypted, fall for phishing, etc. There is a percentage of users that will get their account compromised because of bad password handling which will cost you, and by enforcing MFA you can decrease that percentage, and if you mandate yubikeys or something similar the percentage will go to zero.

RaisingSpearOP1y ago

> I don't think phishing is such an obscure scenario.

For a typical person, maybe, but for a tech-minded individual who understands security, data entropy and what /dev/random is?

And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

I'm also looking at this from the perspective of an individual, not a service provider, so the activities of the greater percentage of users is of little interest to me.

mr_mitm1y ago

> And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

That's why I qualified it with "certificate-based". The private key never leaves the device, ideally a yubikey-type device.

1 more reply

j / k navigate · click thread line to collapse

0 pointsRaisingSpear1y ago0 comments

But password managers typically don't send keyboard commands to fill in a password, so a physical device would be useless.

> There are plenty of scenarios where MFA is more secure than just a strong password.

And how realistic are they? Or are they just highly specific scenarios where all the stars must align, and are almost never going to happen?

0 comments

mr_mitm1y ago

I don't think phishing is such an obscure scenario.

RaisingSpearOP1y ago

> I don't think phishing is such an obscure scenario.

For a typical person, maybe, but for a tech-minded individual who understands security, data entropy and what /dev/random is?

And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

I'm also looking at this from the perspective of an individual, not a service provider, so the activities of the greater percentage of users is of little interest to me.

mr_mitm1y ago

> And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

That's why I qualified it with "certificate-based". The private key never leaves the device, ideally a yubikey-type device.

1 more reply

j / k navigate · click thread line to collapse