Comment by mavhc
4 months ago
Most people wouldn't realise they can't recover their TOTP codes. But the hacker would still need to know your password surely
4 months ago
Most people wouldn't realise they can't recover their TOTP codes. But the hacker would still need to know your password surely
...so you agree that this is missing the '2' in 2FA?
For "something you have" to be true to its purpose it has to be something that has one and only one copy - so either only you have it, or you don't, but nothing in between. The second you have "cloud backup", or activate an additional device, or "transfer to a new device" then you turn the attack into "phishing with extra steps".
You can support transferring to a new device without increasing the phishing risk, the transferral just needs to be done via a physical cable rather than via the cloud.
10 replies →
I quite like Apple’s Advanced Data Protection, I set it up with two physical yubikeys recently. To login to iCloud/Apple on a new device that’s not part of your trusted devices, you must use the hardware token.
They'd have to know your password, and get you to click your 2FA accept button, that's 2 factors still