Hacker News new | ask | show | jobs
by codegrappler 217 days ago
2FA most commonly thwarts server-side compromised passwords. An API can leak credentials and an attacker still can’t access the account without the 2FA app, regardless of which app that is. The threat vector it does open you up to are a) a compromised device or b) someone with access to your master password, secret key and email account. Those are both much harder to do and you’re probably screwed in either case unless you use a ubikey or similar device.
1 comments
eimrine 217 days ago
How is it possible to have compromised password but not compromised the second factor? I don't understand the theory of leaking not enough factors. What is stopping webmasters from using 100FA?
link
smsm42 214 days ago
> How is it possible to have compromised password but not compromised the second factor?

Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).

> What is stopping webmasters from using 100FA?

The users would hunt them down and beat them mercilessly?

link
eimrine 212 days ago
So 2FA is a protection against the server's admin? Not even the user's protection but the webmaster's one?
link