Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

MFA won’t protect against phishing.


The MFA we commonly use right now won't protect against phishing because, as I suspect you mean, the codes are not protected against being entered into the "wrong" site.

Proper MFA, like U2F/FIDO2/whatever-it-is-called-today, will protect against phishing because the visited site won't match the hash needed to complete the second-factor-auth-flow.


Yes it does, maybe not directly. Two examples, both 1Password and my Yubikey only autofill passwords based on the domain. I immediately get a tingle when I go to autocomplete a commonly visited website and it doesn't fill ... time to immediately inspect the URL for phishing etc. Those tools have definitely saved me multiple times.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: