[pxeger1]

This is not a compelling argument that 2FA is reduced to 1FA. You need either: something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode). In either case, there are still two factors. For a criminal to perform shoulder surfing and theft, more things must go right for them than to do either individually.

[wintermutestwin]

> something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode).

Thank you for breaking it down like this. The bottom line is that if you don’t have your phone, you can’t access your accounts. That is a massive risk factor - particularly while traveling. That tells me that passkeys and password managers are not a viable security solution.

[rkrisztian]

Exactly, your phone can break or get stolen any time. Plus I just don't want to limit myself to a single device.

[okanat]

Unfortunately in Germany almost all banks force you to use an unmodified phone (so no de-Googled) Android as the 2FA. There are other solutions like code generators but they require extra payment.

[zarzavat]

Buy an older iPhone for ~$150. Install financial apps on it and don't use it for anything else. Keep it in a safe place, only carry it around if you must.

If you need to manage non-trivial amounts of money through your phone, having a specific device to do that is a no-brainer.

[frollogaston]

Is the risk that someone's going to steal my phone, forcibly hold it to my face, and wire my money somewhere? So far I've known two close friends who got mugged, the robber didn't think of this. Last time I tried intentionally wiring a large amount of money to someone, it took forever and involved tons of approval.

[zarzavat]

It's common in London, phones are being stolen for the access to financial accounts, not the value of the phone itself. They steal the phone out of your hands while it is unlocked. For example:

https://www.bbc.com/news/articles/cy8y70pvz92o.amp

I'm not sure exactly how they get around security features, perhaps by social engineering customer support, if they have enough PII.

[Yeul]

Uhm yeah in order to actually wire money in my banking app I need to input a fingerprint. Smart people developed these apps banks are not stupid.

Obviously people can still kidnap you and torture you but that's no different from before smartphones.

[fsflover]

If your phone is compromised, a single password entry gives hackers full access. How is this not 1FA?

[toast0]

Phone is something they have, password is something they know, once you tell them.

[fsflover]

Imagine somebody owned your phone remotely. Aren't you immediately screwed? This is something I don't expect from 2FA.

[toast0]

Depends on details... I might not be screwed until I need to auth for something, at which point the auth is captured and I'm screwed.

[fsflover]

And you do need to do it from time to time. So it's only 2FA against some threats, not necessarily most important ones for ordinary users.

[toast0]

If what you have (phone) and what you know (authentication) are both stolen, 2FA didn't keep your account secure. But it was still 2FA. They had to steal two things. Same as if it's a user entered OTP code, and you put your password into the phishing site, and then put your OTP code into the phishing site too; 2FA didn't help you, but it was still 2FA.