|
|
|
|
|
|
by fc417fc802
146 days ago
|
|
|
> I think it is too simple to reduce the definition of second factor to how it is stored. I think the defining characteristic is how it is used. I can use a password like a second factor, and I can use a TOTP code like a password. The service calls it a password or a second factor because that was the intention of the designer. But I can thwart those intentions if I so choose. Recall the macabre observation that for some third factor implementations the "something you are" can quickly be turned into "something your attacker has". |
|
|