Comment by cqqxo4zV46cp
2 years ago
No. TOTP MFA’s mechanics make it a significant security improvement regardless of how impressively large (???) your password is. It doesn’t inherently implicate “another service”. That’s the beauty of it. This issue is SPECIFICALLY due to forced use of Authy. Forced MFA for high-value accounts is a good thing. “A long password will protect me” is 2006 thinking.
What happens when you lose your phone then?
Do you have recovery code printed out? Do you carry them with you? If you do then what's the difference between this and a password?
Not the parent, but I write recovery codes down and store in a safe at my home.
The difference compared to a password is that these recovery codes are single use, used only in exceptional cases and physically airgapped. On the other hand my password is multi use, is used daily by me and in the event of a breach will be exposed to the attacker.
I will know if someone steals my recovery codes. I'll have no idea if someone gains knowledge of my password though.
I keep a second outdated Android phone secure with all my TOTP on it for now, plus I have another person I trust who I share my codes with.
You need to explain the threat model which 2fa protects against. Because I'm not seeing it.
> Forced MFA for high-value accounts is a good thing.
No. I agree the MFA is big improvement and I use it for many of my accounts, but I still don't want you forcing me to do something "for my own good".
Make it the default or show me scary warnings, but still give me the option to make my own decision in the end. Sometimes, it's okay for convenience to take precedence over security, and the user is the only one who should make that determination.
Well, phishing attacks are still prevelent and it's still at the top for compromising credentials. And phishing attacks have evolved. Most of them will hijack your session, which will make TOTP useless (FIDO will protect you tho)
I just don’t buy the argument that because most sophisticated attacks exist, then 2FA isn’t useful.
2FA protects you from someone getting access to a leaked password. They still can’t connect even with user and password, without doing a very elaborate hack. That’s a huge benefit.