|
|
|
|
|
|
by rdl
4715 days ago
|
|
|
Ultimately all of the cellphone 2FA are at some level "two passwords". If the machine on which you enroll initially is pwned at that time, the attacker sees the seed. It's a little better with physical tokens (where you'd need to compromise the token itself, or do MITM at setup time and persistently after). I believe most of the good iOS TOTP apps use the "keybag" correctly so the seeds don't leave the device when backed up, but it's not perfect. An x509 cert would fundamentally not be any different, and PK-based MFA (which Duo, OneID, and I think some other companies do) isn't that different -- it just requires the verifying application talk to the app directly vs. something you can do as a human. |
|
|
For gmail, Google texts me an auth code; the seed (if there is one) is in their data center. They could switch to seedless down the road since they own both sides of the auth.