frontpage.

I was using my online banking service to transfer money today, and in my country the transfer requires an SMS OTP (yes, I know SMS is terrible for security). I noticed that my Mac automatically filled in the SMS OTP that was sent to my iPhone, even though my iPhone was still locked.

The idea behind SMS OTP is that it proves you "have" the device. But in this case, as long as the device is nearby, my Mac can read and use the code without me unlocking the phone. I don't even need to touch the device. So the "possession" factor doesn’t really work the way it's supposed to.

It got me thinking, are there more examples where 2FA accidentally collapses into a single factor? Or where the two factors aren’t as independent as we assume?

I find this pretty interesting and want to look more into it, but a quick search hasn't turned up much. Does anyone know if people have already written about this?

Ask HN: Claude Opus performance affected by time of day?

Ask HN: Share your personal website

Tell HN: The way I do simple data management for new prototypes

Ask HN: How can we solve the loneliness epidemic?

Ask HN: How are you doing RAG locally?

Ask HN: How have you or your firm made money with LLMs?

Tell HN: YouTube gave my username switzerland to a half government organization

Ask HN: What did you find out or explore today?

At the phase 'build a startup cause I can't get hired, and maybe I'll get hired'

Ask HN: Those who quit tech, moved back home, what do you do?

Ask HN: Browser extension vs. native app for structured form filling?

Ask HN: One IP, multiple unrealistic locations worldwide hitting my website

Ask HN: Who's Using DuckDB in Production?

Ask HN: Local media server, receive and send audio?

Ask HN: When "Two-Factor Authentication" (2FA) Aren't Two

Ask HN: Have you ever tried low-code tools for your work?

Ask HN: LLM Poisoning Resources

Ask HN: Tips for better image generation? I need help

Why is nobody using this? Full-duplex voice streaming with Gemini Live in React

Ask HN: What are your best purchases under $100?

Tell HN: HP Ultra G1a Bios Freezing Issue

Ask HN: Iran's 120h internet shutdown, phones back. How to stay resilient?

Ask HN: Is sending a lot of requests but respecting rate limits DOSing?

Ask HN: Analogy of AI IDEs for code vs. "AI IDEs" for personal health data

Ask HN: How do you safely give LLMs SSH/DB access?

Ask HN: AI music covers in 2026?

Ask HN: What are you working on? (January 2026)

Tell HN: Execution is cheap, ideas matter again

Ask HN: How to make spamming us uncomfortable for LinkedIn and friends?

Ask HN: Is token-based pricing making AI harder to use in production?

Ask HN: When "Two-Factor Authentication" (2FA) Aren't Two

Comments

Ask HN: Claude Opus performance affected by time of day?

Ask HN: Share your personal website

Tell HN: The way I do simple data management for new prototypes

Ask HN: How can we solve the loneliness epidemic?

Ask HN: How are you doing RAG locally?

Ask HN: How have you or your firm made money with LLMs?

Tell HN: YouTube gave my username switzerland to a half government organization

Ask HN: What did you find out or explore today?

At the phase 'build a startup cause I can't get hired, and maybe I'll get hired'

Ask HN: Those who quit tech, moved back home, what do you do?

Ask HN: Browser extension vs. native app for structured form filling?

Ask HN: One IP, multiple unrealistic locations worldwide hitting my website

Ask HN: Who's Using DuckDB in Production?

Ask HN: Local media server, receive and send audio?

Ask HN: When "Two-Factor Authentication" (2FA) Aren't Two

Ask HN: Have you ever tried low-code tools for your work?

Ask HN: LLM Poisoning Resources

Ask HN: Tips for better image generation? I need help

Why is nobody using this? Full-duplex voice streaming with Gemini Live in React

Ask HN: What are your best purchases under $100?

Tell HN: HP Ultra G1a Bios Freezing Issue

Ask HN: Iran's 120h internet shutdown, phones back. How to stay resilient?

Ask HN: Is sending a lot of requests but respecting rate limits DOSing?

Ask HN: Analogy of AI IDEs for code vs. "AI IDEs" for personal health data

Ask HN: How do you safely give LLMs SSH/DB access?

Ask HN: AI music covers in 2026?

Ask HN: What are you working on? (January 2026)

Tell HN: Execution is cheap, ideas matter again

Ask HN: How to make spamming us uncomfortable for LinkedIn and friends?

Ask HN: Is token-based pricing making AI harder to use in production?