[tialaramex]

Under WebAuthn you can have 2FA despite only one authentication flowing from your authenticator to the web site. Nice smartphones (say, a modern Pixel or an iPhone) with fingerprint readers, have as the two factors your fingerprint (something you are) and the phone itself (something you have). The phone signs your authentication, the private information (your fingerprint) never leaves the phone, it just warrants that it checked it (UV bitflag in the signed data)

Or say you have a FIDO 2 Security Key from Yubico. As well as the features of the cheaper FIDO 1 Security Key products, this has a PIN verifier. The PIN is something you know, while the Security Key itself is something you have, so that's two factors, once again the UV bitflag is signed.

It's simpler, it's easier, it's more secure. And yet, right now I bet an HN reader is implementing yet another shitty SMS-as-2FA hack and we're still in a thread about remote authenticating with passwords - an idea that was already terrible in the 1970s.

[valenterry]

What if the phone is fully compromised?

[tialaramex]

What about it?

If your threat model is "People fully compromised my phone" then you should definitely not rely on the phone in the face of that.

[kmonsen]

Is there any realistic scenario that protects against a fully compromised phone/computer?

[valenterry]

I mean yeah, if you use 2FA and both phone and computer are just one factor on their own, then a compromised phone does not matter. So my question is, how about the mentioned scenario - to me it seems that just compromising the phone would compromise the whole, but maybe I misunderstood.