undefined | Better HN

0 pointslstamour12y ago0 comments

Something you have, something you know ... I can see the utility in requiring just those. But I've found it useful to get messages from service providers when, for instance, my ATM card is used, or when I login at a new computer. So I'd like to add to that list "something you monitor" whether through SMS-based 2FA, push notifications, or just plain emails or further challenges if something looks suspicious (e.g. logins from Africa when I'm also logged in from the US)

0 comments

1 comments · 1 top-level

zobzu12y ago

While I don't consider the notifications to be part of the authentication - I agree, yes, notifications are good.

We're doing something like that at my company as well (its not a bank or anything). If you log from other countries, have too many repeated failed (or even successful) attempts in a time period, etc. you get notified on a dashboard/you can optin for an email (or /and an email that forwards to your SMSes).

then you can decide if/when you want to see it and to notify security if you think there's a problem. saves a lot of time for the sec team as well which only will manually check when the alerts reach a higher threshold.

j / k navigate · click thread line to collapse