Hacker News new | past | comments | ask | show | jobs | submit login

My comment still applies. In the majority of the 2fa implementation you activate via sms, then you can set up totp.

Even if you forget about sms, sms is still available to get a code and bypass 2fa.

Authy itself, if you have the app, never sends you sms but push notification.

I'm not sure duo is relevant in this discussion, no consumer app that i know/i'm aware of uses duo.




I'm not sure you're following. You don't have to register with Google or with Duo to use their TOTP applications. Google Authenticator installed on your phone doesn't ask for your Google account or your phone number; it just sits there waiting for you to show it a bar code for a TOTP site. Same with Duo.

Used that way --- the default way --- you can't bypass it with SMS.


The parent comment was asking about GA vs Authy.

Responses were like GA is better because there's no SMS. This is true if you look at GA vs Authy mobile apps.

This is false, if you look at the consumer services where you enabled 2fa (Google, Facebook, Twitter, Instagram, Coinbase, Twitch...). They all require SMS to setup 2fa, and let you use SMS to bypass GA.

You can not bypass GA with an SMS (the TOTP), you can bypass the service 2fa, because for availability reasons they must provide you more than a single 2fa method.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: