When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
[removed]
Malicious person tries to log into your account, but 2fa needs you to approve from your phone/needs a code from an app on your phone. Boom, they can’t get in cause they dont have your phone. Works with email too, as long as you dont have the same password there.
E: i dont know about qr code 2fa, all my accounts use app or email authenticators, but in general making it harder/more work to compromise your account is what its about.
2FA involves something you know and something only you have. I could tell you my ATM PIN code for Bank of America is 5971. But that doesn’t do you any good because you don’t have my card. I also could tell you my Google email and password. That won’t let you into my account either because you don’t have my phone. If you tried to log in with my credentials, you still need to wait on me to tap yes on a notification on my phone to let you in.
There are more ways to steal a password than to break into someone’s password manager. Someone could steal your password simply by glancing over your shoulder as you type it. Or, a more high-tech version of that would be sniffing your wireless traffic or your keyboard actions (via a hardware or software sniffer).
The 2nd factor can’t be stolen that way, because every code you ever type in is a one-time code and can’t be re-used.
That said, if you want to really maximize security benefits from 2FA, you store the 2 factors separately. If you store them in the same place, you are choosing to compromise security for convenience.
* Storing the recovery codes or the QR code in the same password manager as the password, compromises 2FA, as you correctly predicted. Recovery codes could instead be printed and stored in a drawer at home.
* Storing the password in the password manager of your phone which also has the authenticator app also compromises 2FA. If someone stole your phone they now have both factors.
So, don’t do those things if you want to maximize benefit from 2FA.
So, two factor authentication works by increasing the number of things the attacker needs to “get” or fake.
One of them is the password, but the other thing they need is *your phone*. If a hacker gets your password and tries to log on using his device, the 2FA system will send the notification to your pre-authorised phone saying “hey, is this you?”, and wont let the hacker in unless you authorise him using your phone. They can’t re-route that request to them, becuase the system doesn;t ask them where to send it, it checks the internal database what phone they are looking for, including stuff like phone serial number, make & model, etc.
Thus, instead of just a password, the hacker needs to get his hand on your phone, and that makes the hack MUCH harder. Most methods of defeating 2FA are built on social engineering methods to trick you into authorising the hacker, because thats the easiest method of bypassing it.
The alternative is tracking you down and physically stealing the phone, to then try and break the phones password and PIN, THEN the 2fa apps password, THEN doing the authorising.
needless to say, this is a lot of work, and that’s why 2fa works.
And that’s why ideally you want to use a Yubikey for 2FA when available. 2FA is supposed to be “something you possess”, while a password is “something you know”.
The goal of the second factor is to require that the login happens on one of your devices, so that even if someone has your password, they can’t get in. By contrast, the goal of the first factor, the password, is to make sure that someone can’t get in even if they do have access to one of your devices, if they don’t have the information you know.
You do have a point in that the two factors may seem superfluous in a password manager context, but that’s because the password manager essentially enforces both factors for you; you need a master password to do anything, and the database that you need to access with the password is only on your devices, so you achieve both goals.
This is not the norm; the password system is still very much designed around the idea that most people do not use a password manager, and instead reuse simple strings they can remember in their head. Likewise, 2FA key generators are not always locked behind reauthentication.
The industry has also noticed this, and is in the early phase of a transition to passkeys, which are essentially a more advanced 2FA key that also replaces your website password, that you’re storing in an encrypted database that you need a master password or biometrics to access (for example in something like a password manager), thereby essentially forcing password manager level security for everyone, and making the login more seamless while doing so.
> I get a QR code
That QR code will be different each time and only the latest will work (or they have a time limit).
> that I can again downoad and store in a password manager, right next to my password.
There’s also nothing stopping you from writing all your passwords into a tweet, but we rightly consider that to be an issue of “the user is a complete moron”. This is a related concept.
Two-factor authentication, in theory, improves security because it requires you to pass two forms of authentication. In practice, it’s almost always turned into half-factor authentication because it allows either-or authentication with a password or SMS. So it actually reduces your security in most cases.
A strong implementation would require you to know a password and have a physical cryptographic USB token. So if your password is cracked or stolen by a hacker, they still can’t gain access to your bank account or BitCoin account. But very few services use this level of security.
If someone possesses your cell phone number and can receive SMS confirmation codes, they can reset access to your bank or crypto account and steal your money even though they don’t know your password. So hackers started hijacking cell phone numbers by calling tech support for your cell carrier and claiming they lost their phone and that they need to reset it to a new SIM card. They might need to call several support agents but eventually, they trick one to transfer your cell number to their cell phone. Then they break into any of your accounts.
The QR code is an easier way that only works if you’re already logged in on your phone. Otherwise you’d have to verify a different way (eg email or text). So someone who knows your password can’t login because they don’t have your phone. And they can’t login on a different phone because they don’t have your SIM or email.
(Side note, SMS 2FA is bad actually. You’re number can potentially get [SIM jacked](https://en.wikipedia.org/wiki/SIM_swap_scam). It’s really a shame that so many sites use it)
> I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
Don’t do that.
Latest Answers