When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
There are more ways to steal a password than to break into someone’s password manager. Someone could steal your password simply by glancing over your shoulder as you type it. Or, a more high-tech version of that would be sniffing your wireless traffic or your keyboard actions (via a hardware or software sniffer).
The 2nd factor can’t be stolen that way, because every code you ever type in is a one-time code and can’t be re-used.
That said, if you want to really maximize security benefits from 2FA, you store the 2 factors separately. If you store them in the same place, you are choosing to compromise security for convenience.
* Storing the recovery codes or the QR code in the same password manager as the password, compromises 2FA, as you correctly predicted. Recovery codes could instead be printed and stored in a drawer at home.
* Storing the password in the password manager of your phone which also has the authenticator app also compromises 2FA. If someone stole your phone they now have both factors.
So, don’t do those things if you want to maximize benefit from 2FA.
Latest Answers