Using a security key as 2FA instead of TOTP would have prevented this attack, ri... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tadamcz 5 months ago \| parent \| context \| favorite \| on: NPM debug and chalk packages compromised Using a security key as 2FA instead of TOTP would have prevented this attack, right? If you maintain popular open source packages for the love of God get yourself a couple of security keys.

SahAssar 5 months ago [–]

Well, that would also require all the services to support webauthn/FIDO, which a lot of them don't. Some who do support it only allow one key or trivial bypass via "security questions".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact