

2-step verification is not two-factor authentication - 8bitpony
http://www.twofactorturkey.com/2-step-verification-is-not-two-factor-authentication

======
yonran
The author is correct to attack Google’s authentication protocol, but the
password reset procedure is the gaping security hole. The author is focusing
on the distinction between “hard” tokens vs ”soft” tokens from NIST 800-63
Level 4. But in the Grant Blakeman case, the first factor (password) was never
compromised. It was the Google password reset procedure that sidestepped all
the security of the two factors. All you need is to answer easy trivia
questions and to text a code to a phone number in order to take over a gmail
account.

------
jszymborski
I understand how sending an SMS text is 2-step verification, however this
article then tries to expand this to include smartphone apps like Google
Authenticator, which is just wrong.

The argument they use is that Google Authenticator is something-you-know auth
because you "know" the token, however from my understanding this isn't any
different from any other Synchronous 2FA.

2FA, whether Sync, Async or Challenge response require your device to store a
password, OTP or Key Pair.

Bad sales pitch is bad.

