Hacker News new | past | comments | ask | show | jobs | submit login

I'm curious, do people still consider it "two factor authentication" when you have a mobile device generating (or receiving via SMS) one-time codes and that same mobile device syncing passwords?

For example, if your web browser or password manager is syncing your passwords to your mobile phone, and that's the same phone the SMS codes or TOTP app runs on, is this completely circumventing the whole concept of "two factors"?

Asking for a friend, because I'm sure no HN readers would be dumb enough to do this...

(also, The Register covered this same story yesterday, here's my dupe submission: https://news.ycombinator.com/item?id=12157529)

See wikipedia:

> Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

So as long as your phone is sufficiently password-protected, that is is still 2fa.

So a laptop or phone with a fingerprint reader and TOTP app would qualify as well I suppose. I think many people assume that two separate devices are necessary for proper security, and I wonder if this is true?

Yes, it would qualify. While having additional devices does increase security (harder to break into both the laptop and a phone, or laptop and smartcard/yubikey/RSA SecurID token) its not entirely necessary.

Many physical security systems utilize multiple factors of authentication for access that are tied into a single reader. They often have a badge reader (something you have) and a fingerprint/eye scanner (something you are) or a PIN pad/digital combo dial (something you know) all built into the same device stuck on the wall. Sometimes they'll use separate systems for this, but the combo units are very common.

Another thing to remember is that you're still preventing someone from just storing your entire auth request and replaying it later. The one-time password changes every time, so although they might get a password in transit they won't be able to generate future one-time passwords. They would still have to have that thing you own (the OTP secret) and the thing you know (the password).

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact