[furyg3]

I feel like some sort of manual component to two-factor authentication is the whole point (a clickable link, copy+paste, or remembering a 4 digit number).

Besides that, two factor is a bit of a joke in an app (on your phone) that caches your password, and then sends a message (to your phone) which is automatically read and accepted, before allowing you to login. What exactly are we achieving here in terms of security? Every 30 days the app authenticates itself with no user intervention.

It would be much more secure to just force a password login.

[nikolak]

>I feel like some sort of manual component to two-factor authentication is the whole point

It's not really. The point is to verify that the device used for 2FA is still with you, whether you entered the code manually or it got entered automatically isn't the point of the system - and in practice has no real difference (unless your 2FA app requires password for access)

>What exactly are we achieving here in terms of security?

Verifying that the phone is still using allowed SIM card/phone number.

If you switch phones you can still get the confirmation message and access your account and if needed invalidate all other sessions.

If your phone is stolen you can do the same thing. The app password caching doesn't matter then.

It is no different than 2FA app that you have on your phone except that it's more tied to your SIM card than your phone.

[laug]

If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor.

For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something.

[hueving]

We are achieving the same security guarantee as before, just without the user pain. All two factor provides in this case is proof that you have the phone associated with your account. Why does it matter if the app does the legwork for you?

[grey-area]

We are achieving the same security guarantee as before, just without the user pain.

I'd argue that a corporation other than the phone company being able to read all your text messages is significant pain.

Given that FB seems to want to take over all communication between users (contact list/blog/email/photos/messaging) FB being able to track and access anything you do is the inevitable endpoint of such aspirations, but many people are not comfortable with that, and the farther FB go down that road, the more people they'll alienate.