undefined | Better HN

0 pointsdemosito6665y ago0 comments

Congrats, you have just negated the second factor in 2FA by having all your keys at one place in one application.

0 comments

2FA is about having a factor which changes everytime you use it so if the medium is intercepted somehow the account isn't permanently compromised.

It's protection for when using untrusted computing devices, or because most people have their passwords in some way visible or shared.

TOTPs can't be reasonably made much longer then they are while still usefully entered, but my password database never leaves my own devices and neither does the password to it.

If someone compromises my phone to the level they can get that database, then they've already got my Google Authenticator or whatever DB as well anyway.

demosito666OP5y ago

IMO this reduces the protection of 2FA significantly. For me 2FA is primarily not having a single device that's enough to compromise to get access to your important accounts. This means that I never have both factors (password and TOTP key in our case) on a single device. That's why

> they've already got my Google Authenticator or whatever DB as well anyway.

is of course good for them, but they still need to get my password from my other device.

XorNot5y ago

If your device is compromised to the point that someone is reading out the content of non-online, encrypted DBs, or keylogging aggressively, then they've also got your email and can much more easily just send a password reset to 90% of everything out there.

2FA as the internet uses it has always been about dealing with accidental disclosure and public PCs.

1 more reply

stjohnswarts5y ago

For most of us 2FA as it is works fine. Until I become a CIA operative or drug dealer I suspect the current setups are fine via companies like authy, 1Pass, and google auth.

j / k navigate · click thread line to collapse

0 comments

XorNot5y ago

2FA is about having a factor which changes everytime you use it so if the medium is intercepted somehow the account isn't permanently compromised.

It's protection for when using untrusted computing devices, or because most people have their passwords in some way visible or shared.

TOTPs can't be reasonably made much longer then they are while still usefully entered, but my password database never leaves my own devices and neither does the password to it.

If someone compromises my phone to the level they can get that database, then they've already got my Google Authenticator or whatever DB as well anyway.

demosito666OP5y ago

> they've already got my Google Authenticator or whatever DB as well anyway.

is of course good for them, but they still need to get my password from my other device.

XorNot5y ago

2FA as the internet uses it has always been about dealing with accidental disclosure and public PCs.

1 more reply

stjohnswarts5y ago

For most of us 2FA as it is works fine. Until I become a CIA operative or drug dealer I suspect the current setups are fine via companies like authy, 1Pass, and google auth.

j / k navigate · click thread line to collapse