|
|
|
|
|
|
by baby
2166 days ago
|
|
|
> This defeats the point of 2FA that's not true. You need to think of a threat model. 2FA still successfully prevents attackers that do not yet have a session to connect to your account. So it is still a clear net benefit. What it does not prevent, is attackers downgrading your account from a session that already exist. At this point it is easy to argue that if an attacker has this kind of access then the only thing you can do is add 2FA to all critical actions, not just removing 2FA (that would be the least of your issue), but every critical action you can do in the app. For example if the app is a bank, and wants to protect against these kind of attacks, then they have to prompt 2FA every time you want to want to send money (at least). |
|
|