|
|
|
|
|
|
by josephg
149 days ago
|
|
|
> 2FA is "something you have" (or ".. you are", for biometrics): it is supposed to prove that you currently physically posses the single copy of a token. The textbook example is a TOTP stored in a Yubikey. No, 2FA means authentication using 2 factors of the following 3 factors: - What you know (eg password) - What you have (eg physical token) - What you are (eg biometrics) You can "be the 2FA" without a token by combining a password (what you know) and biometrics (what you are). Eg, fingerprint reader + password, where you need both to login. |
|
|
Combine that with the practical problems with biometrics when trying to auth to a remote system, and in practice that second factor is more often than not "something you have". And biometrics is usually more of a three-factor system, with the device you enrolled your fingerprints on being an essential part of the equation.