Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Chris <ithinkiam@gmail.com>
Newsgroups: comp.mobile.android
Subject: Re: Codes sent by text message
Date: Tue, 12 Mar 2024 19:09:47 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <usq99q$f0h8$1@dont-email.me>
References: <ush35k$2791b$1@dont-email.me>
 <usid1f$2fqif$1@dont-email.me>
 <usn5ia$3lqer$1@dont-email.me>
 <1mtd3l3os6odg.dlg@v.nguard.lh>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 12 Mar 2024 19:09:47 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="c52154c82e00c61e46174366f93ef802";
	logging-data="492072"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+urApEtd0s6sQElipKc86qKtnbGHk+IIs="
User-Agent: NewsTap/5.5 (iPhone/iPod Touch)
Cancel-Lock: sha1:/EFqwnG2lav9V7u/C0hqDKCpz6w=
	sha1:5cJzeEB/TfFOUSQBgHc9dBmEKOM=
Bytes: 2116

VanguardLH <V@nguard.LH> wrote:
> Chris <ithinkiam@gmail.com> wrote:
> 
>> However, in this case it's by design not nefarious. The 'F' in. 2FA is
>> "factor" meaning that you need two different sources of truth. Your
>> password is one and a known device is the second. VOIP is neither
>> known nor a device so cannot be trusted as the endpoint could be
>> almost anything.
> 
> Yet 2FA codes are also sent by e-mail.  Someone is on your phone using a
> web browser, gets the login 2FA interruption, and the 2FA code gets sent
> to e-mail which is accessed on the same phone.  Yeah, that really
> thwarted the 2FA-enabled login ... not!  2FA only makes sense when 2
> *different* devices are used for login and to where the 2FA code is
> sent.  

Incorrect. It needs to be two different factors. Like I said a password is
something you *know* and a phone is a device you *have*. Two, three or more
devices are still one factor.

This is why MFA is a thing as other factors are included now like time
since last log in, location, time of day, etc.