[bad_user]

> If you're using a password manager to have unique passwords for every site, what does TOTP 2FA even protect you against?

Man in the middle attacks of course, which are possible on insecure connections. With the prevalence of root certificates installed on people's computers as a corporate policy, by shitty anti-viruses, etc, it's very much possible to compromise HTTPS connections.

The TOTP 2FA code acts as a temporary password that's only available for a couple of seconds. A "one time password" if you will.

Yes, it still strengthens security.

Read 1Password's article about it: https://blog.agilebits.com/2015/01/26/totp-for-1password-use...

[tptacek]

This would make sense if virtually every website in the world didn't react to the short-term TOTP secret by handing back a long-term HTTP secret.

[lmm]

If there's no point improving client authentication until you've improved website security and no point improving website security until you've improved client authentication then neither will ever get better.

[SpaethCo]

If there's a MitM attack, you've already lost. Sure, they can only login one time, but they're in once you provide the authentication steps.

Phishing sites collecting and using the 2FA creds in real time was discussed here, among other places: https://security.stackexchange.com/questions/161403/attacker...

With available open source like https://github.com/ustayready/CredSniper readily available, you're only going to stop lazy phishing attempts.

You only get protection if you assume the scripts are just passively collecting information for use at a later time. If they're actively logging in to establish sessions while they're phishing, it's game over.

[toasterlovin]

But don't many sites require a second authentication to modify access to the account (change password, add collaborator, etc)? In that case, an attacker would need a second one-time code.

[joshuamorton]

Normally I believe they just require the password. The threat model there is someone leaving their account logged in.

[toasterlovin]

> Normally I believe they just require the password.

Shoot, you're right. Not sure what I was thinking. My bad.

[testvox]

Yeah that's why codes don't make for a good second factor. You should use something like Fido or a client cert such that a MitM can't continue to impersonate the client.