undefined | Better HN

0 pointsspeedgoose8mo ago0 comments

It’s still one device.

0 comments

The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against. Shoulder surfing and device theft are not something I worry about in my home setup, for example.

Aachen8mo ago

> The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against.

It doesn't matter if you store your 2FA seed on a billboard or as a tattoo where the sun doesn't shine: 2FA means two factors. The definition doesn't change when your home setup's threat model doesn't call for 2FA and you thus decide to store two secrets in the same place (making a compromise of one necessarily a compromise of the other, thus 1FA)

wolvesechoes8mo ago

> making a compromise of one necessarily a compromise of the other, thus 1FA

The only necessity is logical necessity, and it doesn't apply there.

Aachen8mo ago

You're saying you can store two pieces of information in one file, without a compromise of one implying a compromise of the other? Do elaborate

1 more reply

brookst8mo ago

This is so wrong. You’re conflating where things are with what they are. Two factors does not mean two devices.

speedgooseOP8mo ago

Yes it depends on your treat model. But being defeated by one simple keylogger isn’t a risk I’m willing to take even at home.

AstralStorm8mo ago

And yes, 2FA single use codes will protect against a simple keylogger.

But if its on the same device, it will not protect you against a password database harvester.

alanfranz8mo ago

If you login from your phone, it’s still one device. Should we have different totps for different devices?

Something that you have can be your own pc.

Aachen8mo ago

You're onto something even banks don't seem to understand! The industry standard for doing financial transactions calls for 2FA but then they make a mobile app that can self-approve transactions. Yes, using only one mobile device is 1FA, just like using one desktop only, but people generally consider mobile OSes safer because the permission model and process isolation is on a whole other level

broken-kebab8mo ago

There's a grain of truth in your statement, but no matter how hard it's to accept for all of us nerds here, in real life words are defined by usage. If industry calls it 2FA, users call it 2FA, then it's 2FA.

Aachen8mo ago

They can call the sky green but unless the wavelength changed, I don't see the benefit of taking over that terminology, no matter if you're a user or a nerd or both. That's the real-life situation: sky isn't green, idk why anyone would need to "accept" that or not when it factually isn't the case

1 more reply

wolvesechoes8mo ago

If you store two databases on two devices it makes them suddenly one device? What kind of security sorcery is this?

j / k navigate · click thread line to collapse

0 comments

quchen8mo ago

Aachen8mo ago

> The second factor does not have to be a second device. Like everything security, it’s what you’re protecting against.

wolvesechoes8mo ago

> making a compromise of one necessarily a compromise of the other, thus 1FA

The only necessity is logical necessity, and it doesn't apply there.

Aachen8mo ago

You're saying you can store two pieces of information in one file, without a compromise of one implying a compromise of the other? Do elaborate

1 more reply

brookst8mo ago

This is so wrong. You’re conflating where things are with what they are. Two factors does not mean two devices.

speedgooseOP8mo ago

Yes it depends on your treat model. But being defeated by one simple keylogger isn’t a risk I’m willing to take even at home.

AstralStorm8mo ago

And yes, 2FA single use codes will protect against a simple keylogger.

But if its on the same device, it will not protect you against a password database harvester.

alanfranz8mo ago

If you login from your phone, it’s still one device. Should we have different totps for different devices?

Something that you have can be your own pc.

Aachen8mo ago

broken-kebab8mo ago

Aachen8mo ago

1 more reply

wolvesechoes8mo ago

If you store two databases on two devices it makes them suddenly one device? What kind of security sorcery is this?

j / k navigate · click thread line to collapse