Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You are allowed to have two separate databases, with different passwords. You can even store them on different devices!


It’s still one device.


The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against. Shoulder surfing and device theft are not something I worry about in my home setup, for example.


> The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against.

It doesn't matter if you store your 2FA seed on a billboard or as a tattoo where the sun doesn't shine: 2FA means two factors. The definition doesn't change when your home setup's threat model doesn't call for 2FA and you thus decide to store two secrets in the same place (making a compromise of one necessarily a compromise of the other, thus 1FA)


> making a compromise of one necessarily a compromise of the other, thus 1FA

The only necessity is logical necessity, and it doesn't apply there.


You're saying you can store two pieces of information in one file, without a compromise of one implying a compromise of the other? Do elaborate


GP stated:

> The second factor does not have to be a second device.

Now, you are talking about two pieces of information in single file.


This is so wrong. You’re conflating where things are with what they are. Two factors does not mean two devices.


Yes it depends on your treat model. But being defeated by one simple keylogger isn’t a risk I’m willing to take even at home.


And yes, 2FA single use codes will protect against a simple keylogger.

But if its on the same device, it will not protect you against a password database harvester.


If you login from your phone, it’s still one device. Should we have different totps for different devices?

Something that you have can be your own pc.


You're onto something even banks don't seem to understand! The industry standard for doing financial transactions calls for 2FA but then they make a mobile app that can self-approve transactions. Yes, using only one mobile device is 1FA, just like using one desktop only, but people generally consider mobile OSes safer because the permission model and process isolation is on a whole other level


There's a grain of truth in your statement, but no matter how hard it's to accept for all of us nerds here, in real life words are defined by usage. If industry calls it 2FA, users call it 2FA, then it's 2FA.


They can call the sky green but unless the wavelength changed, I don't see the benefit of taking over that terminology, no matter if you're a user or a nerd or both. That's the real-life situation: sky isn't green, idk why anyone would need to "accept" that or not when it factually isn't the case


Your choice of example is somewhat self-defeating: blue-green is probably the best illustration of terms with big semantic overlap even in languages which care to have separate words for these colors (there are those which has one word for both). Generally, meaning of words defined by informal convention of majority. You are free to disagree with it, but it only means you will speak your own dialect always in need to explain yourself to everybody who's not you.


If you store two databases on two devices it makes them suddenly one device? What kind of security sorcery is this?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: