Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do you think that you could get Google, or Github, to turn off your 2FA login requirement if you really needed it? Like if you lost your codes? Or never saved them in the first place?


Well, GitHub, Google, and many others, allow you to bypass 2FA by using an alternate method. For example, GitHub will send a prompt to their app on your phone, if you’re trying to log in to the website. I believe Google can send a similar prompt to YT or GMail apps, although I don’t use Google anymore.

I understand you’re frustrated, and clearly, Uber not allowing you to create another account is the crux of the issue here. That and the fact you didn’t save your backup codes.

For what it’s worth, I use 2 yubikeys that are either used for webauthn or TOTP. In addition, I write down every single backup code (yes, manually) in a notebook. This is in addition to my passwords being in a password manager.

If I lose my primary yubikey, I still have a backup one. I just need to go recover it (which, granted, requires me to go back to $HOME_COUNTRY first). If I lose both yubikeys, I can still recover accounts with the backup codes. If I lose all three, then yes, I am fully aware I won’t recover the accounts. That’s exactly as I designed it.

The correct advice to retain from this event is: test your backups. Your backups are worthless if you never check their contents. You are absolutely right: if you lose the backup codes and then lose the 2FA access, you’re screwed. The only way around this is to verify whether you have the backup codes on a regular basis.


> GitHub will send a prompt to their app on your phone

I lost my phone, though. There's no prompt they could send me.

> I believe Google can send a similar prompt to YT or GMail apps

There was no phone, anymore. No way to prompt.


In general, if an account is associated with a phone number, then I expect to be able to use the phone number to restore access to the account. Uber looks to have failed you here.

As for my Google and GitHub accounts, if they're not associated with a phone number or recovery email address, I fully expect to lose access permanently if I were to lose the codes. In such a case, I take responsibility for it.


> to use the phone number to restore access to the account.

No. Phone number is not associated to a person for a life time. It can be "rented out" to someone else if stopped being used. However an "account" is (as has credit cards and such). So phone number cannot identify an account solely, without anything else in addition.


Yes. and I don't just think that's the case. I know it's the case, because I have had my phone get stolen, and been able to recover access to all accounts without using backup codes or having had multiple copies of the TOTP secrets.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: