Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That was exactly what Persona was for. It was marvelous to use. It's a shame that project hasn't gained sufficient traction and closed.

https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Per...



This is in response to this comment, as well as the parent: Minimize your trust in all-in-one authentication services. A password manager is reasonable (still makes me nervous), because it makes it simple to have a different complex password for every account. But taking Persona for instance, it claims "free yourself from password management". Don't do that. When you free yourself from managing your security, you are not secure. It really is as simple as that. Security takes diligence. One could even say that security is diligence. The harder you make it for yourself, the more secure you are.

Regarding the possibility of locking yourself out of your accounts, one suggestion that I have is to have one or more primary accounts that you use to recover all of you less critical accounts, and keep the device used for authenticating to those at home, preferable in a safe. Do not use this device for your normal 2FA - only use it as 2fa and recovery for the primary recovery accounts.

For the remaining accounts, use a separate device that you carry around with you. This way when you eventually lose access to something, you'll have a better chance of getting it back. In other words, a lost phone wont necessarily turn into a catastrophe because you've lost your only means of 2fa.


This is wrong. Your email provider is already a SPOF for your security, since anyone who owns your email de facto owns all your accounts. All you're doing is removing another link from the security chain, i.e. the service authentication method.

Essentially, you're replacing two (or a thousand) things someone can break into with one thing someone can break into. That's much easier to secure.


This is all well and good for a tech savvy user. But for the user who "instead of properly setting up their authenticator app, they brilliantly used one of the ten backup codes to finish their 2FA setup (and didn’t even store the rest), thus locking themselves out of their account immediately.", this will all be too complex for them.

We need a solution that is actually usable by the masses that maintains a reasonable level of security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: