-2

I have been reluctant to move to 2FA for some reasons… Here is a use case.

  • The user has two Google accounts (personal and business)
  • Both accounts are configured on the Android smartphone
  • Two-Factor-Authentication is enabled on both accounts

Now, under normal circumnstances, whenever the user wants to login the 2FA kicks in as an extra over the standard password.

The fun comes now, the user lets the phone on a desk and a funny person (or a thief!) takes the phone. Let us asume the phone does not have any PIN, gesture or fingerprint Access control. The thief takes the phone, sees the Google accounts, browses them and wants to be bad and decides to hijack both accounts.

Now, the thief or the funny person just happens to guess the password of one of the accounts, that is bad. But hey! good thing 2FA is enabled on the account! right?

Well, that thief or funny person that took the phone and was lucky to guess the password, gets the 2FA notification but since the phone he stole is in his control, then the 2FA is actually not doing anything because the intruder has the phone and does the 2FA on the stolen phone, the real owner does not get anything.

So, how is two-factor-authentication good then? Sure, you have to get the password first but if you do then 2FA does not seem to offer anything to protect if the intruder also has the authenticating device.

I hope somebody can explain that to me and tell me my assumptions are incorrect.

mega6382
  • 9,211
  • 17
  • 48
  • 69
Lord of Scripts
  • 3,579
  • 5
  • 41
  • 62
  • 1
    You seem to be focusing on a scenario which for most people would be much less likely than someone trying to access their accounts remotely. Also, a person that uses swipe-to-unlock on their phone doesn't sound like the type of person that would be interested in enabling 2FA on their accounts. – Michael Jul 16 '18 at 08:14
  • This seems like a very silly question. Sure, 2FA doesn't protect against every situation; if the attacker has your login credentials *and* gains access to your authenticator, they're still going to get access to your account. However, it doesn't make the situation any *less* secure and it helps in many other situations. So, how is two-factor-authentication bad then? – Jeff Alyanak Aug 14 '18 at 21:30

2 Answers2

1

Two factor authentication puts two barriers in front of accessing an account.

Consider your thief when they do not have access to the device. They may guess the password, but they can't beat the 2FA. This is the case for most online attacks, dictionary attacks and compromised password attacks.

Consider the alternative. The attacker has the device, but they are unable to guess the password because it is of reasonable strength. Then they are unable to beat the password factor and the account remains safe.

The situation in which the attacker is able to gain access to the device and the password is less likely than either of the two above scenarios. No security is perfect security, but two factors of authentication are certainly better than one.

philnash
  • 70,667
  • 10
  • 60
  • 88
0

Nowadays there are a lot of different ways to deliver OTPs. If you get OTPs via SMS or they are generated by Google Authenticator and a thief or a funny person takes your phone, they will get an access to your OTPs.

The next step is to guess the password. Usually, if people use 2FA they care about the security and don’t use weak passwords. If you worry your password can be guessed, you can use the application that generates OTPs and protects an access to the application via PIN (for example, Protectimus Smart app).

Another solution is a hardware token. It is an independent device so even if a thief takes it they don’t know what account you protect with it.

Of course, 2FA is better than just a password. Even if somebody brute-forced or guessed your password, they won’t get an access to your account without the one-time password (excluding the situation someone takes your phone that doesn’t have any pin).

Disclaimer: I work for Protectimus

Christian
  • 315
  • 2
  • 7