When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
Two-factor authentication, in theory, improves security because it requires you to pass two forms of authentication. In practice, it’s almost always turned into half-factor authentication because it allows either-or authentication with a password or SMS. So it actually reduces your security in most cases.
A strong implementation would require you to know a password and have a physical cryptographic USB token. So if your password is cracked or stolen by a hacker, they still can’t gain access to your bank account or BitCoin account. But very few services use this level of security.
If someone possesses your cell phone number and can receive SMS confirmation codes, they can reset access to your bank or crypto account and steal your money even though they don’t know your password. So hackers started hijacking cell phone numbers by calling tech support for your cell carrier and claiming they lost their phone and that they need to reset it to a new SIM card. They might need to call several support agents but eventually, they trick one to transfer your cell number to their cell phone. Then they break into any of your accounts.
Latest Answers