Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This looks like it was blown out of proportion. The founder is not involved in day-to-day technical stuff, and he misspoke. It's not the greatest thing to happen to a startup, but it hardly invalidates the whole premise. It's interesting to read that Google's seed length seems to compromise the security of their offering, since most of the replies here seem to be predicated on the idea that Google is doing everything right.


The Google Authenticator key length is truncated because of a usability tradeoff. Initially, a design goal was to allow people to manually type in keys on their device. This would be for cases where you couldn't scan a QR code, like when your device has no camera.

Given the security setting, I am comfortable with the tradeoff. I do not think brute-force attacks represent a significant risk, especially compared to other attack vectors.

That may change over time. Fortunately, it's straightforward to increase the default key size.


This is exactly what happened. Although I am involved in product on 100% of the time, I don't deal with specific implementation details, the engineers working on the solution deal with that. So I tried to be a truthful as possible and answer all the questions I could, I simply got some details wrong. One of the engineers noticed and I rectified my answer.


I'm not trying to be rude, but they weren't "details", they were the difference between "secure" (which is the service you sell) and "insecure".


Details are really important. That doesn't mean I could possibly handle every single detail myself, I can't. We have a whole team that handles different parts of the system and they are fully qualified. In fact the engineers doing this feature did write the correct implementation. I simply made a mistake answering the question.

I think people are confusing the Authy Google Authenticator Support with the Authy product.

We do not sell Google Authenticator or aim to be a replacement for it. We simply added the possibility to add Google Authenticator tokens into the Authy App - mostly since our existing clients wanted this -.

Our Service, it's usage etc are completely separate.. If you are not using Authy you can simply use Google Authenticator App.

The only thing in common is we both use RFC 6238 which is an open standard for Time based OTP's.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: