Comment by us0r
1 month ago
I've been bitching about GasBuddy since at least 2018 (I'm sure even further I'm too lazy to keep looking).
https://news.ycombinator.com/item?id=16776028#16776762
I've pretty much deleted all apps. I'm working on dumping my phone all together but shit like mandated 2FA is screwing that up.
At this point, 2FA is the only thing I use my phone for anymore. It's the only reason I even have a phone; I spent about a year without one until I had to for 2FA. But I don't need to carry it around anywhere for that. It would be inaccurate to call it a "mobile" device.
It wouldn’t be too hard to create a physical device that can only be used to set up and retrieve Authenticator-app style 2FA codes.
All you’d need is a camera to read QR codes, a display, a few kB of storage and some pretty basic processing.
But then I guess that storage would need to be encrypted with some sort of authentication. Hmm.
What about extending the protocol to an actual channel-bound challenge-response one, without the need for a (risky) out-of-band key exchange via a QR code?
We could call it something like Web Authentication. I could even imagine small, keychain-sized USB authenticators that you have to touch a capacitive button on to approve an authentication :)
That doesn't help when the services insist on SMS as 2FA.
Yubikey, FIDO2, etc already exists, though not supported everywhere.
Sounds a bit like Precursor.
Most systems that have 2FA have MFA, TOTP or FIDO2 key. That’s what I use. Never SMS as it is unsafe.