Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What a silly question. One can prove who they are with documents, but nobody can prove who they are with 2FA.

It goes like this: If you can prove who you are, you get access to your account. That's what this is all about.

The more offline, human touch we go, the greater the security.



It's way more likely that a hacker can convince a customer support rep that he's me than that hacker can steal my 2FA codes.

This isn't a hypothetical, this happens all the time including to people I know personally: https://www.forbes.com/sites/laurashin/2016/12/20/hackers-ha...


That's not an inherent problem, that's poor implementation.

Procedures like this could work:

Person contacts support requesting a bypass of the 2FA due to whatever reason.

1. Cloudflare sends email to persons account notifying of the request. 2. Person is required to upload photographic proof of two govt-issued id's. 3. Cloudflare calls person (phone number on file from 2FA or account setup). 4. 30 day delay initiated. 5. 30 days layer, Cloudflare emails and calls person to confirm they requested 2FA bypass. 6. Access is granted.

With procedures like this, it's no longer about convincing a support rep.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: