Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Naming/training issue imo.

We need a better name than MFA.

Something like “personal password like token that should only be entered into secure computer on specific website/app/field and never needed to be shared”



It's well known that OTP is not immune to phishing. Force your users on webauthn or some other public key based second factor if you're aiming at decreasing the incident rate.


I blame SAML and any other federated login being an "enterprise only" feature on most platforms.

So users get used to sharing passwords between multiple accounts and no centralised authority for login. This causes the "hey what's your password? I need to quickly fix this thing" culture in smaller companies which should never be a thing in the first place.

If users knew the IT department would never need their passwords and 2FA codes they would never give them out, the reason they give them out is because at some point in the past that was a learned behaviour.


Ugh, or being able to generate an API/service token. It just ingrains the bad passwords and password sharing if you have to use passwords everywhere.


Well, push based 2fa with "select this number on your 2fa device" helps prevent some vectors. Simple totp doesn't do that.

"Never give your totp or one time code over the phone" is good advice.

"Never give info to someone who called you, call them back on the official number" is another.

This is user error at this point.


I disagree. Specially again that companies are centralizing on a couple 2FA companies (like Okta from TFA), this is just ripe for phishing. Okta itself is terrible at this; they don't consistently use the okta.com domain, so users are at a loss and have basically no protection against impersonators.


For okta, if it is set up properly, the user should get push notifications. And in that push notification is a number they need to select to validate the push.

This eliminates credential phishing and "notification exhaustion" where a user just clicks "ok" on an auth request by a bad actor.

As much as I advocate for non cloud services, what okta provides is very secure.


man you should see what people are getting up to with evilginx2 these days. They are registering homoglyph URLs just for your and running MITMs that passthru the real site 1:1, and forwarding to the real thing once they skim your login token so you never even notice. The really crappy phishes and jankfest fake sites are pretty much obsolete.

Then they hang out in your inbox for months, learn your real business processes, and send a real invoice to your real customer using your real forms except an account number is wrong.

Then the forensics guy will have to determine every site that can be accessed from your email and if any PII can be seen. What used to be a simple 'hehe i sent spam' is now a 6 month consulting engagement and telling the state's attorney general how many customers were breached.


I've been thinking along these lines for a while. The whole "factors of authentication", where higher=better is no longer a good summary of the underlying complexity in modern authn systems.

We need better terminology.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: