Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The best-practices 2FA stack is:

* U2F token (primary method)

* TOTP via phone app (backup)

* Backup keys printed or on encrypted USB, in a safe.

* SMS disabled explicitly.

TOTP fallback doesn't reduce security meaningfully, because U2F principally protects against phishing. But SMS fallback is devastating to security.



Thanks!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: