When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
The QR code is an easier way that only works if you’re already logged in on your phone. Otherwise you’d have to verify a different way (eg email or text). So someone who knows your password can’t login because they don’t have your phone. And they can’t login on a different phone because they don’t have your SIM or email.
(Side note, SMS 2FA is bad actually. You’re number can potentially get [SIM jacked](https://en.wikipedia.org/wiki/SIM_swap_scam). It’s really a shame that so many sites use it)
> I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
Don’t do that.
Latest Answers