
Why You Don't Need 2 Factor Authentication - dsr12
http://sakurity.com/blog/2015/07/18/2fa.html
======
_pdp_
2FA auth is fundamentally harder to crack due to computational complexities
and also physical constrains and it is definitely better than just a plain
password. Also, 2FA doesn't add extra inconvenience when done the right way -
see google's 2FA.

I am not quite sure what to make out of this article but here is a simple
scenario which I believe it puts everything in a bit of perspective.

Say that I somehow loose my password. Without 2FA that's it - the attacker is
in. With 2FA the attacker will have to do more work. I don't care how complex
is to crack to token. The point is that just because you know a secret it
doesn't give you all other secrets.

~~~
djrogers
Google's 2FA is kinda broken though, in that it generates permanent 'per-app'
passwords that aren't actually limited to one app, they can be reused as often
as you (or a data thief) wants. That always bugged me...

------
rubbingalcohol
The author missed the obvious and common attack scenario where an attacker
gains access to an email account associated with a vendor account, uses the
email account to reset the vendor password, and logs in. Two factor
effectively prevents this attack.

Third parties (like Google Authenticator) possessing the 2FA codes is not a
problem because they don't possess the passwords and are generally
"trustworthy." Losing access to the 2FA hardware isn't such a problem on
platforms like Heroku that assign account recovery codes. Just PGP encrypt
them and call it a day.

2FA is a valuable last line of defense against a targeted attack.

------
raesene9
For me what this misses is the reduced impact of a single session compromise.

If an attacker gets your password, that account is compromised until you
change your password (could be weeks months or never).

with decently configured 2FA, the attacker gets a single session. If you have
decent session termination/logout and restrictions on sensitive actions (like
disabling 2FA) such that they require re-authentication (And re-entering
another 2FA code), it can reduce the impact of compromise by quite a bit.

~~~
cnst
> with decently configured 2FA, the attacker gets a single session

not really. the telecom and/or email provider are still in full possession of
MITM'ing your authentication credentials

