Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Does anyone know if Twitch employees have two factor auth?

Yes, IIRC everyone at Amazon has a hardware security key (which is more secure than the standard mobile app TOTP most of us use everywhere online).



>(which is more secure than the standard mobile app TOTP most of us use everywhere online).

Is it though? The "wrench theory" applies here. It's not unthinkable that an employee was stalked on social media and had their key stolen.


Its still more secure. Rubber hose cryptanalysis applies to both equally, but that doesn't mean there aren't other attacks that apply to totp which don't to yubikeys.

More secure != perfectly secure.


With a phone you need my passcode to accept to 2FA request (assuming lock screen notifications are disabled). I think yubikeys can work without a passcode as long you plug it in right?


Right, but presumably the site is already asking for a password, and if the attacker can bypass one password, im not sure its a safe assumption that they cant bypass two. However fair enough. Some yubikeys do involve fingerprint scans too though.

The main security benefit is unphishability. With yubikey/webauth crypto is used so you can't give the code to the wrong website. Phishing is a pretty major cause of account hacks generally, so pragmatically that is a very big win.


It's still the same, 2fa.

With a Yubikey, you need to use your password to log in to your computer, and then need to auth using Yubikey.

With OTP app, you need to use your password to log into your computer, passcode for phone, and then auth.

In both cases, it's something you know, and something you have. You could argue that the app based is a bit more secure in that you need two passwords. On the flipside, if your phone gets pwned, someone can access completely remote.

Everything is a tradeoff.


Why would you need to log into your computer with a yubikey? Wouldn't any computer (including the attacker's computer) work?


Amazon still has a passkey requirement, it's not just a touch of the key, and these passwords are different to your user passwords at login.


They require a physical touch.


Yes.

I don't know which protocols they use (obviously), but if they use WebAuthn, everything is public-key signatures. Even if you leak everything from the server, public keys buy you nothing.

https://webauthn.guide/




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: