|
|
|
|
|
|
by clinta
2673 days ago
|
|
|
2FA is protection against a lost password. It was never protection against a lost password combined with a stolen device. Think about this scenario. You use Google authenticator on your phone, and have your banking app on your phone. A thief knows your banking password and steals your phone. Now replace "phone" with "computer". I don't see how changing the underlying 2FA device changes security. The only real danger is if that 2FA db on your computer is not encrypted. But again, the same danger exists if you use an unencrypted phone. |
|
|
I don’t know where you’ve worked but almost every time I’ve been in a discussion that’s an explicit goal. The most common situation being where someone loses a laptop but not a token or phone.
Even in the case where someone gets the phone, note that phones have fairly strong protection against reading private data directly and 3/5 of my auth apps and my password manager have require both the device and a passcode or Touch ID authentication to open so its non-trivial to get either codes or passwords out of a device. On iOS at least it’s been many years since “an unencrypted phone” existed so there aren’t simple ways to get around this which don’t just devolve to some form of “if the CIA/Mossad/etc. target you but inexplicably choose not to hold a gun to your head until you unlock the account”.