Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you can compromise the account, based on a SIM swap alone, then that site has 1FA (The phone number).

2FA requires you to have 2 factors at the same time. e.g. When I log onto amazon from a new browser with valid username+password it additionally requires me to confirm via my phone number.

1or1FA (e.g. reset your password via SMS if you forget your password) is just increasing the attack area on 1FA (would be more secure without it).

Problem it's trying to solve, is that it's conventionally unacceptable to lock people out of their accounts.



Let's say that it wasn't you who logged in with a valid username and password, it was an attacker.

Under what circumstances does the phone number prompt prevent the attacker from accessing your account?

Perhaps they used phishing? Then they can just phish the SMS code as well.

Perhaps they're a MITM over an insecure channel? Then they can just wait for you to enter the SMS code.

Perhaps you installed their malware? Then they can just inject some code into the browser.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: