When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
So, two factor authentication works by increasing the number of things the attacker needs to “get” or fake.
One of them is the password, but the other thing they need is *your phone*. If a hacker gets your password and tries to log on using his device, the 2FA system will send the notification to your pre-authorised phone saying “hey, is this you?”, and wont let the hacker in unless you authorise him using your phone. They can’t re-route that request to them, becuase the system doesn;t ask them where to send it, it checks the internal database what phone they are looking for, including stuff like phone serial number, make & model, etc.
Thus, instead of just a password, the hacker needs to get his hand on your phone, and that makes the hack MUCH harder. Most methods of defeating 2FA are built on social engineering methods to trick you into authorising the hacker, because thats the easiest method of bypassing it.
The alternative is tracking you down and physically stealing the phone, to then try and break the phones password and PIN, THEN the 2fa apps password, THEN doing the authorising.
needless to say, this is a lot of work, and that’s why 2fa works.
Latest Answers