undefined | Better HN

0 pointsserial_dev1y ago0 comments

I don’t see why an authenticator app could not be used from desktop or web.

0 comments

3 comments · 1 top-level

sigmoid101y ago· 2 in thread

If you store your second factor on the same device where you login, there's really no need for an app (or a second factor for that matter), because if your device is compromised, you're screwed anyway. You might as well store a list of one time auth passwords on a piece of paper that you keep near your PC. In fact that way someone would have to compromise you physically and digitally, which may be more difficult. If you keep the paper on your person at all times, it will actually be pretty secure. If you use some encryption scheme for the text on top of that, you're already pretty much there. But that's complex, so people came up with hardware keys that you always keep on your person and that are not used for anything else. They are kind of the ultimate thing to deploy on scale, but still a lot of hassle for users. The next best thing is using an app on your phone. It's considerably more dangerous, but still much better than storing everything on your computer.

serial_devOP1y ago

I could have two computers, and I could also login to an app on my phone. There are valid reasons for a desktop authenticator app.

sigmoid101y ago

Phones tend to have much better security models than normal computers. So having both on a phone is much less of a risk than both on a computer. But if you're offering people to weaken their own security by increasing convenience, you're breaking your own security model anyways. You might as well let people opt out of MFA altogether, but fewer and fewer companies tend to do that. Not because technical edge cases might pop up, but because most people are lazy and that is dangerous.

j / k navigate · click thread line to collapse