[umurkontaci]

This is less secure than not having 2fa at all.

2FA means two factor authentication. It's a guarantee that even if someone hacks your password or steals your computer, if they don't also have physical access to the secondary device (phone, yubikey etc), they won't be able to gain access to your account.

If you put the secrets of 2FA into the same computer, you are back to 1FA.

However, you end up being less secure than not enabling 2FA in the first place. This is because when you enable 2FA, they can disable the regular checks that they have for 1FA accounts. It will also be incredibly difficult to regain access to the account if you don't have access to 2FA devices.

[clinta]

2FA is protection against a lost password. It was never protection against a lost password combined with a stolen device.

Think about this scenario. You use Google authenticator on your phone, and have your banking app on your phone. A thief knows your banking password and steals your phone.

Now replace "phone" with "computer". I don't see how changing the underlying 2FA device changes security.

The only real danger is if that 2FA db on your computer is not encrypted. But again, the same danger exists if you use an unencrypted phone.

[acdha]

> It was never protection against a lost password combined with a stolen device.

I don’t know where you’ve worked but almost every time I’ve been in a discussion that’s an explicit goal. The most common situation being where someone loses a laptop but not a token or phone.

Even in the case where someone gets the phone, note that phones have fairly strong protection against reading private data directly and 3/5 of my auth apps and my password manager have require both the device and a passcode or Touch ID authentication to open so its non-trivial to get either codes or passwords out of a device. On iOS at least it’s been many years since “an unencrypted phone” existed so there aren’t simple ways to get around this which don’t just devolve to some form of “if the CIA/Mossad/etc. target you but inexplicably choose not to hold a gun to your head until you unlock the account”.

[clinta]

In the hairy world of Android things are much less certain. Encryption is optional, and root access is available which can be leveraged to backup the unecrypted contents of any app, including Google authenticator. I'll agree, an iPhone is a very good secure second factor. But I don't see anyone getting as passionate about not using an android for second factor as people get over using a computer. Which to me seems totally unjustified.

Especially since most enterprises own their employee's laptops, but not their phones. The administrator can manage and mandate full disk encryption on the PC. But if the employer offers TOTP for a second factor, they have no control over what device holds those TOTP codes.

[ihattendorf]

Assuming they know the passphrase/PIN for the phone. It's also much easier for rogue software to steal the 2FA token from the laptop than the phone.

[alain_gilbert]

Please enlighten me how is it easier to decrypt my 1password on my laptop than it is on my phone ?

[jwilk]

> when you enable 2FA, they can disable the regular checks that they have for 1FA accounts

Who does that? And why would anyone do that?