Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Chris Newsgroups: comp.mobile.android Subject: Re: Codes sent by text message Date: Tue, 12 Mar 2024 19:09:47 -0000 (UTC) Organization: A noiseless patient Spider Lines: 22 Message-ID: References: <1mtd3l3os6odg.dlg@v.nguard.lh> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Tue, 12 Mar 2024 19:09:47 -0000 (UTC) Injection-Info: dont-email.me; posting-host="c52154c82e00c61e46174366f93ef802"; logging-data="492072"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+urApEtd0s6sQElipKc86qKtnbGHk+IIs=" User-Agent: NewsTap/5.5 (iPhone/iPod Touch) Cancel-Lock: sha1:/EFqwnG2lav9V7u/C0hqDKCpz6w= sha1:5cJzeEB/TfFOUSQBgHc9dBmEKOM= Bytes: 2116 VanguardLH wrote: > Chris wrote: > >> However, in this case it's by design not nefarious. The 'F' in. 2FA is >> "factor" meaning that you need two different sources of truth. Your >> password is one and a known device is the second. VOIP is neither >> known nor a device so cannot be trusted as the endpoint could be >> almost anything. > > Yet 2FA codes are also sent by e-mail. Someone is on your phone using a > web browser, gets the login 2FA interruption, and the 2FA code gets sent > to e-mail which is accessed on the same phone. Yeah, that really > thwarted the 2FA-enabled login ... not! 2FA only makes sense when 2 > *different* devices are used for login and to where the 2FA code is > sent. Incorrect. It needs to be two different factors. Like I said a password is something you *know* and a phone is a device you *have*. Two, three or more devices are still one factor. This is why MFA is a thing as other factors are included now like time since last log in, location, time of day, etc.