Hacker News new | ask | show | jobs
by isaacaggrey 5062 days ago
> compromising the phone (2nd factor for the general public) allow compromising both passwords and the authenticator

Unless I've misunderstood how 2-factor authentication works, this is misinformation. The entire point of 2-factor authentication is that you need _both_ factors; i.e., having only one does not compromise the system.
1 comments
zobzu 5061 days ago
Except in practice you have both factors on the phone (unless you don't use the phone for anything else than .. phone and an authenticator? that just never happens)

so, no, you just need to think about it a little while longer.

link
isaacaggrey 5059 days ago
> Except in practice you have both factors on the phone

What do you mean by this? I'm not doubting you, but I'm still a bit confused -- currently taking a Security course, so I'm a newbie in the field.

Do you mean that if the phone is compromised (and you don't know its compromised) that once you input your password (the "what you know") the system is broken? Certainly, I can see that.

I may still be misunderstanding, but if you don't store your password(s) on your phone, then does it prevent this attack?

link