Chris <
ithinkiam@gmail.com> wrote:
However, in this case it's by design not nefarious. The 'F' in. 2FA is
"factor" meaning that you need two different sources of truth. Your
password is one and a known device is the second. VOIP is neither
known nor a device so cannot be trusted as the endpoint could be
almost anything.
Yet 2FA codes are also sent by e-mail. Someone is on your phone using a
web browser, gets the login 2FA interruption, and the 2FA code gets sent
to e-mail which is accessed on the same phone. Yeah, that really
thwarted the 2FA-enabled login ... not! 2FA only makes sense when 2
*different* devices are used for login and to where the 2FA code is
sent. Where do 2FA SMS texts get sent? Yep, to the same phone someone
is using a web browser trying to login. There is nothing about 2FA that
gurantees nor even mandates that different devices are used for login
and 2FA code reception. The "factor" is NOT about using different
devices. It is about using two pieces of /evidence/ (password and 2FA).
All the site knows that is sending the 2FA code is either your e-mail
address or your SMS-capable phone number. How do they know that where
the 2FA code is received is at a different device than where the login
was attempted? Smartphones generate the most volume of web traffic.
https://gs.statcounter.com/platform-market-share/desktop-mobile/worldwide/Most users are logging into a site via a web browser on their phone. It
is the same device that receives e-mails and SMS texts. The web site
knows your IP address, not your phone number, when you use a web browser
on your phone trying to log into a site. They send a 2FA code to your
phone number, but they don't know that is the same device as from where
you are web browsing - unless they are tracking your IP address to the
IMEI of your phone. Even with the IMEI of your phone, you use another
phone to web browse to the same site, it sends a 2FA code via e-mail or
SMS, and you see it on that phone.
Login on a smartphone via web browser, and 2FA code sent to the SAME
device. Just where is the mandate 2 different devices are used for
login and to where 2FA codes get sent?
I haven't delved much into TOTP, because I've yet to log into any sites
that use it, but it might be more secure than 2FA.
https://en.wikipedia.org/wiki/Time-based_one-time_passwordMy bank did add TOTP by letting their customers using the Authy app.
Alas, Authy discontinued their desktop (Windows) client leaving only
their mobile apps. Yet I don't do banking on my phone, only on my
desktop PC. So, Authy yanked their desktop client, can't use it anymore
with my bank, so I'm stuck with them sending the 2FA code to my Google
Voice phone number which forwards to me via e-mail. Obviously I can't
get texts on my desktop PC (it has no cellular service), and I'm not
running around the house to find my smartphones to power them up and
wait to get a 2FA code via SMS that I have to manually copy into the 2FA
form in the web browser on my desktop PC. At the server, 2FA codes
expire, so it could take me longer to use a phone with SMS than it took
to use Authy on my desktop where I was trying to login.
There are other TOTP desktop clients, but I don't know which will work
with my bank. They list only a couple TOTP clients, one of which is the
Symantec client that is geared to enterprise users. They don't list
other TOTP clients, like Google or Microsoft Authenticator.