In the end, isn’t that recovery code just the same as a password?
In: 174
The idea is that the second factor, such as requesting a confirmation code via your email, isn’t actually known to the attacker, so they have no way to get a recovery code.
If they have you logging in with your email address, then also use that email address for 2FA confirmation, that’s just badly designed.
Kind of.
Most attacks aren’t targeted. 2FA, even with a recovery code, requires an attacker to both get the password and get the recovery code.
Since recovery codes are only kept with the individual and the service it means that an attacker would need to hack the service itself, and if they could do that then they wouldn’t need your account credentials.
Most account compromises happen because of password reuse.
Here’s an example. I have an account on Website A and Website B. I use the same password for both.
Website A gets hacked and all the usernames and passwords are leaked online.
Hackers take the passwords from Website A and try them on Website B. Since I used the same password on both they now can login to website B.
Now if I have 2FA enabled on website B they login with the password but they don’t have my 2FA so they fail to login. Even if I had recovery codes with Website B the attacker still doesn’t have those because they weren’t stored with Website A.
There’s some good info here, but I think a lot have missed the point. Let me add my .02…
There are several ways to authenticate somebody behind a keyboard. For many years, we’ve relied on “something you know.” That is, a password.
We could also authenticate you based on “something you are.” So… fingerprints, retina scan, palm vein, even walking gait.
Lastly, we can authenticate based on “something you have.” A “key file,” a phone, an RSA key.
Two factor authentication (2FA), or Multi factor authentication (MFA), uses a combination of two or more of these methods. So when you’re setting up 2FA and they provide you with backup codes, this is still “something you have” and should be used as a last resort to reconfigure your MFA as necessary.
To answer your question: No, the backup/recovery code is not a password. Your password is your password. Your recovery code will allow you to reconfigure your MFA solution in the event you lose the “something you have” factor of your MFA solution.
The second factor doesn’t have to be linked to a device. It can be linked to an email, which you can access from any device.
The idea is it’s now twice has hard for an attacker to get your password, because they need the verification code from either your device or email, but they don’t know your email or have access to your device, so they would need to gain access to that in order to break in.
It just needs to be a second factor (2 factor identification) it doesn’t need to be a physical device.
The recovery code ideally wouldn’t be stored in the same place as the password itself. Common recommendation is to write it down on paper and store it somewhere, and keeping it as a single use option to prevent it from being reused indefinitely.