|
|
|
|
|
|
by happyopossum
1524 days ago
|
|
|
The whole thing you know. / thing you have is very outdated thinking. It made sense as a way to explain it 20+ years ago when 2fa was primarily done with physical RSA fobs, but it makes no sense in the modern world of TOTP, password managers, etc. For one thing, TOTP any it’s nature isn’t tied to a thing I have. Heck - you could build a TOTP token web service accessible from anywhere, it’s just an algorithm. Secondly, if you’re using a password manager, you likely don’t know the password, so that part doesn’t fit either. And if you insist on still fitting that square peg into todays round hole: The thing I know is my password managers’ decryption key, and the thing I have is my laptop / iPhone. |
|
|
And then the remote system, trying to be ultra-secure, says "ok we'll send you an email/message and you need to confirm that". But that third factor message comes in on the exact same device I'm using for both the first factor and the second factor.
It's all just security theater.
Conceptually, it kinda makes sense. Like when using a credit card, require the name on the card, expiration date, billing address, and CVC instead of just the number.
But in practice, eh. We have nothing similar to the financial system to catch fraudulent ID usage. So it's all just extra annoyance. For practicality, almost everyone will end up with everything just being a single factor.