When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
The goal of the second factor is to require that the login happens on one of your devices, so that even if someone has your password, they can’t get in. By contrast, the goal of the first factor, the password, is to make sure that someone can’t get in even if they do have access to one of your devices, if they don’t have the information you know.
You do have a point in that the two factors may seem superfluous in a password manager context, but that’s because the password manager essentially enforces both factors for you; you need a master password to do anything, and the database that you need to access with the password is only on your devices, so you achieve both goals.
This is not the norm; the password system is still very much designed around the idea that most people do not use a password manager, and instead reuse simple strings they can remember in their head. Likewise, 2FA key generators are not always locked behind reauthentication.
The industry has also noticed this, and is in the early phase of a transition to passkeys, which are essentially a more advanced 2FA key that also replaces your website password, that you’re storing in an encrypted database that you need a master password or biometrics to access (for example in something like a password manager), thereby essentially forcing password manager level security for everyone, and making the login more seamless while doing so.
Latest Answers