frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Git-am applies commit message diffs

https://lore.kernel.org/git/bcqvh7ahjjgzpgxwnr4kh3hfkksfruf54refyry3ha7qk7dldf@fij5calmscvm/
1•rkta•2m ago•0 comments

ClawEmail: 1min setup for OpenClaw agents with Gmail, Docs

https://clawemail.com
1•aleks5678•8m ago•1 comments

UnAutomating the Economy: More Labor but at What Cost?

https://www.greshm.org/blog/unautomating-the-economy/
1•Suncho•15m ago•1 comments

Show HN: Gettorr – Stream magnet links in the browser via WebRTC (no install)

https://gettorr.com/
1•BenaouidateMed•16m ago•0 comments

Statin drugs safer than previously thought

https://www.semafor.com/article/02/06/2026/statin-drugs-safer-than-previously-thought
1•stareatgoats•18m ago•0 comments

Handy when you just want to distract yourself for a moment

https://d6.h5go.life/
1•TrendSpotterPro•20m ago•0 comments

More States Are Taking Aim at a Controversial Early Reading Method

https://www.edweek.org/teaching-learning/more-states-are-taking-aim-at-a-controversial-early-read...
1•lelanthran•21m ago•0 comments

AI will not save developer productivity

https://www.infoworld.com/article/4125409/ai-will-not-save-developer-productivity.html
1•indentit•26m ago•0 comments

How I do and don't use agents

https://twitter.com/jessfraz/status/2019975917863661760
1•tosh•32m ago•0 comments

BTDUex Safe? The Back End Withdrawal Anomalies

1•aoijfoqfw•35m ago•0 comments

Show HN: Compile-Time Vibe Coding

https://github.com/Michael-JB/vibecode
5•michaelchicory•37m ago•1 comments

Show HN: Ensemble – macOS App to Manage Claude Code Skills, MCPs, and Claude.md

https://github.com/O0000-code/Ensemble
1•IO0oI•41m ago•1 comments

PR to support XMPP channels in OpenClaw

https://github.com/openclaw/openclaw/pull/9741
1•mickael•41m ago•0 comments

Twenty: A Modern Alternative to Salesforce

https://github.com/twentyhq/twenty
1•tosh•43m ago•0 comments

Raspberry Pi: More memory-driven price rises

https://www.raspberrypi.com/news/more-memory-driven-price-rises/
1•calcifer•48m ago•0 comments

Level Up Your Gaming

https://d4.h5go.life/
1•LinkLens•52m ago•1 comments

Di.day is a movement to encourage people to ditch Big Tech

https://itsfoss.com/news/di-day-celebration/
3•MilnerRoute•54m ago•0 comments

Show HN: AI generated personal affirmations playing when your phone is locked

https://MyAffirmations.Guru
4•alaserm•54m ago•3 comments

Show HN: GTM MCP Server- Let AI Manage Your Google Tag Manager Containers

https://github.com/paolobietolini/gtm-mcp-server
1•paolobietolini•56m ago•0 comments

Launch of X (Twitter) API Pay-per-Use Pricing

https://devcommunity.x.com/t/announcing-the-launch-of-x-api-pay-per-use-pricing/256476
1•thinkingemote•56m ago•0 comments

Facebook seemingly randomly bans tons of users

https://old.reddit.com/r/facebookdisabledme/
1•dirteater_•57m ago•1 comments

Global Bird Count Event

https://www.birdcount.org/
1•downboots•58m ago•0 comments

What Is Ruliology?

https://writings.stephenwolfram.com/2026/01/what-is-ruliology/
2•soheilpro•59m ago•0 comments

Jon Stewart – One of My Favorite People – What Now? with Trevor Noah Podcast [video]

https://www.youtube.com/watch?v=44uC12g9ZVk
2•consumer451•1h ago•0 comments

P2P crypto exchange development company

1•sonniya•1h ago•0 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
2•jesperordrup•1h ago•0 comments

Write for Your Readers Even If They Are Agents

https://commonsware.com/blog/2026/02/06/write-for-your-readers-even-if-they-are-agents.html
1•ingve•1h ago•0 comments

Knowledge-Creating LLMs

https://tecunningham.github.io/posts/2026-01-29-knowledge-creating-llms.html
1•salkahfi•1h ago•0 comments

Maple Mono: Smooth your coding flow

https://font.subf.dev/en/
1•signa11•1h ago•0 comments

Sid Meier's System for Real-Time Music Composition and Synthesis

https://patents.google.com/patent/US5496962A/en
1•GaryBluto•1h ago•1 comments
Open in hackernews

Authy corrupted my 2FA backup and all I got was this lousy blogpost

https://cmb.weblog.lol/2025/05/authy-corrupted-my-2fa-backup-and-all-i-got-was-this-lousy-blogpost
25•CameronBanga•8mo ago

Comments

jiveturkey•8mo ago
buried lede IMO

> Authy was sold to Twillo in 2015

codalan•8mo ago
Just got off Authy. They've done everything to trap customers into their broken platform, primarily by never allowing the user to export their tokens, either to file, or to another MFA application.

They also stopped supporting their desktop app, forcing users back onto a single point of failure: the mobile app.

If Twilio isn't going to support Authy in good faith, they should stop holding their remaining users hostage.

CameronBanga•8mo ago
I should have been smarter and thought about looking at export sooner, it wasn't until I had this issue that I dug in and realized how bad it was.
foxyv•8mo ago
Most 2FA apps don't allow export for security reasons. I usually just re-generate all my TOTP keys manually. It's terribly painful, but I used to do it with every phone upgrade.
ValentineC•8mo ago
"Security reasons" is pretty insane, considering how easy it is to lose access to a good number of accounts if any 2FA app breaks from a bad update.

Google Authenticator has done this before too, way back in 2013: https://news.ycombinator.com/item?id=6325760

AStonesThrow•8mo ago
It is indeed the very epitome of sanity, if you simply consider that the codes are secrets, and this entire practice is derived from having hardware dongles with secure enclaves, where secrets go in but never come out. It is the utmost in security when this one-way relationship is observed.

The ability to export secrets is an unfortunate compromise which vendors make for consumer markets. The MFA apps were not designed for exportability. If you own any Yubikeys you will know this. The whole idea is that this factor is "something you have", in other words, possession of the item containing your secret. An exported secret is no longer a secret, no longer something you have; it's just another password you're shuffling around.

The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?

codalan•8mo ago
In an ideal world, I'd just use Yubikeys for everything. The problem is that it's not universally supported (or only supports a limited number of keys), so now I have a hodgepodge of 2FA app or Yubikeys or, even worse, phone/email 2FA.

The great thing about Yubikeys is that I can associate backup keys for accounts (when they are supported), so if I lose one key, I can deactivate the lost key and use a backup key in its place.

With heavily locked-down 2FA apps, I have to hope I can do a full recovery on a new device, or go through the recovery code process, or start all over again w/ new 2FA codes. If I'm lucky, the app allowed me to have it installed onto a backup device.

It's way more complicated that just swapping in a new Yubikey.

ValentineC•8mo ago
> The reason that you don't lose access to accounts when losing your MFA apps is that you took down the emergency backup codes and you committed them to paper, or some other durable medium, in a place where they can easily be accessed during a crisis. You did this scrupulously with each MFA activation, didn't you? Didn't you?

Not all TOTP implementations, especially indie PHP websites, are robust enough to have implemented backup codes.

AStonesThrow•8mo ago
Well, that's pretty sad, but surely, in every case, there is some procedure that's delineated for account recovery when something goes wrong?

I have been dismayed at some supposedly professional implementations, such as when I telephoned Wal-Mart to ask what can be done if I lost my phone (SMS is their only 2FA) and they said that they were prohibited from changing anything in account settings or profiles, and the best idea was to create a new account. (That is crazy -- if you shop at a marketplace like that, they've stored all your receipts, your membership, a potentially years-long trail of paperwork that you may need for taxes, or reimbursement, or refunds later on!)

Even worse, I had a bad time with the United States Postal Service. If I recall correctly, I'd lost access to the registered email address, and I was requesting to change it to something within my control, and they said "no can do", and they told me that my only recourse would be to create a new account, so that's what I did. Interestingly, USPS offers 2FA via either email or SMS, and their SMS gateway service is frequently out of order, so I always use email when logging in there.

Once, around 2021, I contacted GitLab to inform them that their account recovery process was a backdoor to circumvent MFA. They denied any such problem. I suggest that any account recovery implementation be just as secure as the front door to sign in, but also not impossible, because why do you want loyal customers to lose their accounts completely?

foxyv•8mo ago
Typically the way these codes are compromised is when they are stored in a non-HSM location like Google drive or transferred somehow. Then again, if you are just trying to keep people out of your Facebook account it's not a big deal. But if you are trying to keep people from financial accounts I wouldn't recommend transferring TOTP keys. Instead using a backup method like a printed out one time use sheet would be better.

Unfortunately most such websites use KBA or Text based authentication as a backup for TOTP so you may as well just stick it in Google drive.

codalan•8mo ago
It sucks Yubikey (or other hardware based auth) isn't more prevalent in the financial/banking world. It helps mitigate a lot of types of attacks:

- No tokens to exfiltrate off a computer

- Avoids keylogger style attacks

- More durable than cell phones

That said, for people that have high amounts of money in certain accounts (> 1m), it might also present physical dangers (e.g. kidnapping, home invasion) for thieves attempting to get access to the hardware key.

foxyv•8mo ago
The rubber hose attack is always the most reliable and most dangerous method of breaching high value targets like this.

https://xkcd.com/538/

codalan•8mo ago
It's only a security issue if you don't secure the cloud storage that's used for backups.

Google Authenticator and some other 2FA apps allow the user to export their tokens to other apps so you don't need to redo TOTP on every website.

The most secure method is to only have tokens on the 2FA device and to avoid using TOTP backup/restore altogether (or manually copy the tokens on a secondary 2FA device). It's a tradeoff between security vs. convenience.

foxyv•8mo ago
Yeah, the iron triangle of security, convenience, and privacy rears it's ugly head again.
WorldMaker•8mo ago
I think Microsoft Authenticator is the smartest right now because it's a "two-cloud" solution partly out of necessity, but also that seems a trustworthy architecture more generally. Since almost no one's phone runs Windows anymore, the raw app data backups "naturally" go to either iCloud or Google Drive. Then Microsoft keeps other (HSM) decryption keys in OneDrive. The threat model requires compromises of two clouds, so Microsoft Authenticator can be way more generous on how often and easily it backs up. It's an interesting point in the security vs. convenience tradeoff.
nikolay•8mo ago
Authy did this with me years ago, too, destroyed my tokens, I had different lists of tokens on different devices, too - that's why I kept an old phone as it had some of my accounts in there. Do not touch that steamy pile even with a 10-foot pole! It's unfortunately that some providers recognized by your phone number that you have Authy and for you to use it!
rubatuga•8mo ago
It's pretty obvious that you should be backing up the actual TOTP secrets not relying on an app to manage it. I use 2FAS Auth which allows export. The other alternative is to use multiple devices for each 2FA account (the original intent?)
dehrmann•8mo ago
I thought we all moved to Bitwarden a decade ago?
ChrisArchitect•8mo ago
tl;dr

> Much to my surprise, when checking the App Store page, I saw that an update to the app had been approved by Apple only 14 minutes prior. I downloaded the update, tapped upon one of the previously "locked" items, and entered my backup password. Boom, the previously locked 2FA codes were now unlocked and restored, ready for use.

subscribed•8mo ago
I think you missed that part where they subsequently tried to gaslight the user again and told him to do the thing he explained in the ticket he can't.

Or what is the purpose of your comment? :)

ValentineC•8mo ago
Google Authenticator did this to me once before, way back in 2013 [1].

After that, it was vaults that were easily exportable and backed up all the way (like most password managers).

[1] https://news.ycombinator.com/item?id=6325760

bonki•8mo ago
I use KeePass as main TOTP app but migrated from Authy to Aegis (open source, great app) years ago which I use as sort of secondary backup, which also allows you to create backups and import/export data. I sync those off my phone using Syncthing. There is absolutely zero reason to use Authy for standard TOTP these days.
subscribed•8mo ago
If not for a backup on the very old, insecure phone, Authy would cut me off from my codes.

They refuse to start the app on GrapheneOS literally because they cannot be arsed, offloading the claim of security of the handset to Google (which says an old handset not patched in the last 8 years is secure, but the most recent, best patched OS is not).

When the shit hit the fan Authy even removed the way to export the seeds from the desktop version of the app. Big FU to customers.

Never again.

alyandon•8mo ago
I am so glad I stopped using Authy and (painfully via the desktop extension and some hacking to get my TOTP keys) migrated to Aegis. I eventually moved from Aegis to keeping everything in Bitwarden + self-hosted Vaultwarden.
throwaway230ss•8mo ago
I switched to Ente Auth back when Twilio screwed ppl over by eliminating the desktop application. Literally everything about Ente Auth has a better experience than Authy ever was, even before the incident.

Highly recommended by a highly satisfied user.

burnt-resistor•8mo ago
Tarsnap should partner with Apple and Google to offer a per-app minimal important data backup API/service to offer revisioned backups (not just replication) of critical data. This is something Tarsnap could offer app developers as an SDK at first, but then gather momentum to be integrated into mobile/dekstop OSes.