Hacker News new | ask | show | jobs
by tomatocracy 2490 days ago
Until the authenticator app which holds the TOTP secrets in clear text is on the same phone as you are using to access the website/app in question to start with. Then you'd probably be better off instead storing a token in the secure enclave in the app itself instead.
1 comments
Mirioron 2490 days ago
I don't understand why people do that. Your 2nd authentication factor should not be something relying on the same device that you're using.
link
roywiggins 2490 days ago
It reduces the set of people who can access your account from "people with the password" to "people with the password and access to my phone."

It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.

link