Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.


Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.

As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.

It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: