Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Perhaps, but you're also making a lot of assumptions about the security practices of companies that send you info via SMS.


To your point: I can count on two hands the number of companies I've encountered that iterate HOTP on use rather than on issuance.

...which means there are bound to be a few stale but still active SMS codes lingering in there from people who attempted but did not complete authentication e.g. because they entered the wrong number or didn't have access to the number they attempted to use when signing in. Services impacted are any which allow for users to authenticate with _just_ SMS HOTP and which don't expire unused codes. That number is unfortunately high enough for me to think that this is equatable to a small credential breach.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: