Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> account recovery, as a sole factor, meaning you're substantially worse off with SMS authentication than you are without it at those services

But if in those cases you disable SMS auth, then you can't recover your account right? That might be considered worse off in some cases.



What worries me isn’t that I might not be able to recover my account if it uses some other form of authentication, it’s that I might not be able to recover my account because it requires authentication from a phone number I lose access to.


This just happened with my AWS account. Changed phones and forgot to update the number. Didn’t realize it until it was too late. Their recovery process without the phone is incredibly onerous (as it should be) and way too much hassle for me to go through for a small personal account. I just deactivated the credit card that was getting billed and let the account get cancelled. That was a hassle, but not nearly as much as getting back into the account.


And by the time you regain access to the phone number, the account might already be using a different one...


They generally run a cron job on your email to see what are the vulnerable accounts & then decide in order to which one is most important




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: