Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Lack of two factor auth is quickly becoming a dealbreaker for me for everything. It doesn't matter _how_ good your webapp/SaaS works - if it's relying on just a password to secure my PII (or worse, my proprietary sourcecode or intellectual property) it's fundamentally broken, bordering on useless.


How two factor auth will prevent loss of your source code? (assuming your password is unique)


Keyloggers? Social engineering around the password reset function?

I use 2FA on all my personal accounts that support it (Twitter, Github, Gmail, Namecheap, banks).


If a software can log your keypresses, it can probably steal your cookies and log in as you from your machine. Cookies stored by browsers are easily readable by processes running as the same user.


It will help when my unique password get exposed through any of the many likely routes that don't give the attacker complete code execution on the servers - SQLi or using XSS to steal admin tokens for example.


Interesting, sqli that works only for reading encrypted_hash from DB? But since password is unique it cannot be bruteforced even locally.


True - it's the (many many documented[1]) cases where the SQLi grabs the password_cleartext column, not the encrypted_hash one that worry me here.

[1] http://plaintextoffenders.com/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: