[tmsh]

Very good points. Good discussion, thanks.

Interesting to think about. And you're right, phishing, breaches of the MFA database, and session jacking (via breaching the session database) are all big problems still.

But it's significantly more difficult to compromise certain accounts with another channel of authentication. Whether it's the initial attack vector (trying to crack some random employee's password) or secondary attack vectors (once access is gained, trying to go up a security level or compromise servers upstream, etc.), if each of those authentications require (after initial setup) a secondary device, it's just so much harder to crack.

Anyway, I think there's got to be a way to design a security system that partitions secure information. MFA secure cookies (or whatever we want to call long-term session ids associated with authenticated secondary channels), I would hope could slow down access to individual accounts.

Ideally, secure cookies get more sophisticated in the future and truly lend a 'distributed' quality to the architecture (i.e., are just one-time RSA private keys, maybe?). Thus making it very difficult to login without actual access to the device that the user setup MFA with.