Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because SMS is not even remotely a secure communication channel, and the point of two factors is proof of possession of two different classes of things (that you have some device and that you know some secret), and using an insecure channel to send a message weakens the proof of the have half of that, in much the same way as using a weak or published password weakens the know half.

Ideally, you want as strong as practical proofs of each half within the constraints set by UX considerations.



> Because SMS is not even remotely a secure communication channel

Neither is 2FA, it's a key stored completely unencrypted in both your phone and the the host's db.


That's not particularly weak as proof to the person who controls the DB that you have access to the phone, which is what the device factor of a 2FA scheme is intended to prove, since you have to have access to either the DB or the phone to get the key.

Conversely, SMS's weakness is in the communication channel, which can be compromised without compromising the things for which the factor is intended as proof.


Phones get hacked too. If you ever access a site with your phone, it's not two factor auth. Malware can read your 2FA key and read your password as you type it in.


And thus why we have Yubikeys and other hardware tokens.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: