Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What services allow U2F security keys but don't provide single-use recovery codes as backup?


I don't know about U2F specifically, but recovery codes are not generally a feature of 2FA.

Edit: And let me just add why I think this is relevant. Even though few people have dedicated hardware keys today, many 2FA schemes depend on being in possession of a particular phone. There are typically no backups and no recovery codes.

I don't think this would necessarily change if specialised key hardware was used more often. In fact, my business bank account and a broker I previously used both require hardware keys and do not provide recovery codes.


I assume your bank has a physical place you can go to in order to get another token and you have a proper business relationship with them and somebody will ID you.

But many other sites have no other alternatives to recover so the recovery codes are a nice solution.

Note that I dislike that my bank gives me their specific hardware token. I am not sure why I couldn't use a 'standard' Yubikey instead.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: