2FA or Not 2FA

Original Article ↗ Hacker News Discussion ↗

Password Reuse vs Strong Unique Passwords

  • Many argue the real threat isn’t brute‑forcing long passwords but password reuse plus data breaches and credential stuffing.
  • Strong, unique passwords per site plus a password manager are widely seen as a baseline; reuse is strongly discouraged even with 2FA.
  • Some justify weak passwords for “throwaway” accounts; others counter that compromised accounts can still be abused (spam, impersonation).

Benefits and Limitations of 2FA

  • Supporters: 2FA/MFA is crucial against phishing, credential stuffing, and poorly secured services; hardware tokens (e.g., FIDO2/WebAuthn) are viewed as the only truly phishing‑resistant mainstream option.
  • Critics: mandatory 2FA increases lockout risk, especially when tied to a single phone or SMS; availability is part of security, not just confidentiality.
  • Several note 2FA implementations are often fragile, phishable (SMS, email, TOTP), or security theater.

Availability, Lockout, and Backup

  • Many focus on recovery codes and backup procedures as an underappreciated failure point; users misplace codes or lose phones and are locked out.
  • Storing TOTP secrets or recovery codes in a password manager is common, acknowledged as “1.5FA” but seen as a pragmatic tradeoff.

Passkeys: Promise and Lock‑In

  • Passkeys are praised for solving phishing and password usability, but there is concern about:
    • Tying access to a single vendor ecosystem (Apple/Google/Microsoft).
    • Export/interoperability, attestation “anti‑features”, and de‑facto platform lock‑in.
  • Some use passkeys via third‑party managers as a convenient “skip 2FA screen” mechanism, not as a full password replacement.

SMS, Phone Numbers, and Privacy

  • SMS 2FA is heavily criticized: SIM‑swap risk, roaming/coverage failures, and exclusion of people without reliable phone service.
  • Phone-number‑based identity harms anonymity and can enable denial of access if carriers or providers misbehave.

Password Managers and UX Friction

  • There is debate over which password managers to trust (SaaS vs local, multi‑platform support).
  • Convenience issues (multiple devices, extra clicks, 2FA app fragmentation) drive some users to weaker practices like browser‑stored passwords.

Whose Risk Is Being Managed?

  • Several suggest required 2FA primarily protects service providers from abuse of weak accounts, reducing abuse workload and business risk.
  • Others stress that both user and provider threat models matter, and 2FA is a reasonable response to widespread poor password hygiene.

Side Discussion: HTTPS

  • The article’s lack of HTTPS is criticized; some say static content “doesn’t need it,” others emphasize integrity and privacy for all pages.