If the only phishing protection you find meaningful for 2FA tokens is domain mat... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Spivak on Oct 4, 2020 \| parent \| context \| favorite \| on: Pressing YubiKeys If the only phishing protection you find meaningful for 2FA tokens is domain matching then any extension-based password manager like Bitwarden will work with far less hassle than needing a physical token or your phone.

Thorrez on Oct 4, 2020 [–]

Just hope your password manager's password doesn't get phished.

> or your phone.

Using your phone for 2FA doesn't provide any phishing protection that I know of.

What realistic attacks is a non-U2F Yubikey protecting against that TOTP (Google Authenticator) won't protect against?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact