Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The parent was complaining about needing "either [...] a mobile phone [...] or some custom device", which is not true. And sure, Authy is a third-party; but it's not the only option, and you can implement your own (TOTP is not that complicated).

And TOTP has much better user experience than raw keys, especially for beginners who might mix the public/private parts, and experts who want hardware protection.



Actually my main concern is the reliance on 3rd parties - requiring a mobile phone is an implicit reliance on a lot of 3rd parties that IMO should not have any business where/how i authenticate myself.

I don't know about TOTP but if it can be completely independent from 3rd parties and can be used locally like private+public key signatures can then i guess it is fine.


"TOTP for 2FA is incredibly easy to implement. So what's your excuse?" shows how to do it in Python. https://drewdevault.com/2022/10/18/TOTP-is-easy.html .

Though Python would be a 3rd party dependency. ;)

HN comments about that article at https://news.ycombinator.com/item?id=33245042 . Including some of the problems people have had with 2FA usability.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: