|
|
|
|
|
|
by laug
4520 days ago
|
|
|
If you offer some kind of flag that can authenticate without the second factor then the whole system is moot. I.e. an attacker can fake/spoof the user agent or whatever flag you're using, the reason its OK to skip the constraint on a mobile, is that if your mobile is owned, so is your secondary factor. For all other cases going via cell networks is a good enough secondary channel of communication which leaves out any chance of being mitmd over WiFi or something. |
|
|