When I go on to 2FA, I get a QR code. That’s just a long string. I can save it on my phone, save it on my computer in my password manager, and it can just as easily be stolen. I also get a bunch of “recovery codes” that I can again downoad and store in a password manager, right next to my password.
So it seems like a 2FA code can be stolen just as easily as password. If that’s true, how does it actually increase securit compared to, say, not allowing the user to pick their own password and just generating a long secure one for them?
In: Technology
I think many of these answers are missing the point and something OP alluded to — 2FA in this context is generally “something you know” and “something you have”. At one time, “something you have” would be something like a RSA hardware token or perhaps a YubiKey. In these cases, the hardware is physically resistant to attack/cloning, so for the most part you really do have to have that actual physical device. More often these days, people are using TOTP apps on a phone as the “something you have”. In a case where the seed value is not exposed to the user and the app is well designed, controlled, and cannot have it’s data moved to a new device, this is the same as the RSA hardware tokens or YubiKeys mentioned above. But…. more often than not, this is not how things are implemented. If the seed value is exposed to the user or stored in some sort of recoverable location, it has just become another “something you know”.
All that said, having something like Google Authenticate setup as MFA on an account is still better than just a username and password for the “average user”. I say this because while a user could save off the seed value and that could be stolen, this seems much less likely to occur than a user having their password stolen. The average user is going to set their password to an easy to remember, and likely reused, value and will setup MFA without saving off the seed value. Additionally, the actual TOTP is short lived, so while it may be more easily stolen (phished) from a user, it will be of time-limited use.
Latest Answers