that is shitty implementation. circumventing 2fa with 1fa method that can be easily intercepted is pinnacle of stupidity.
if the protected source is so important that it warrants using 2fa, then the recovery after losing it must really verify the identity and sending some random code doesn’t cut it.
another thing is the spreading of 2fa to anything where it doesn’t really need to. that is cancerous in itself.
if they are sending you random code, through email or sms, that is 1fa authentication that can be intercepted - through some malware in your computer or phone and it directly beats the purpose of having 2fa.
This feels like you haven’t seen 2fa in the past ten years or so. The codes are given to the user on the site during the 2fa setup, they aren’t sent via any of those channels that the user has lost in the first place leading to the recovery procedure.
having 2FA in place and then letting you in based on “security question” is the peak clown show.
(this is not attack on you, but wow…)
They’s talking about 2fa recovery codes, which are specifically made for when one loses their phone, for example. And are typically random.
that is shitty implementation. circumventing 2fa with 1fa method that can be easily intercepted is pinnacle of stupidity.
if the protected source is so important that it warrants using 2fa, then the recovery after losing it must really verify the identity and sending some random code doesn’t cut it.
another thing is the spreading of 2fa to anything where it doesn’t really need to. that is cancerous in itself.
I get it that recovery codes could be leaked just like passwords, but not sure what you mean by ‘easily intercepted’.
if they are sending you random code, through email or sms, that is 1fa authentication that can be intercepted - through some malware in your computer or phone and it directly beats the purpose of having 2fa.
This feels like you haven’t seen 2fa in the past ten years or so. The codes are given to the user on the site during the 2fa setup, they aren’t sent via any of those channels that the user has lost in the first place leading to the recovery procedure.
oh, yes, i misread that part. so it is basically password that was on post it note somewhere in your drawer for who knows how long? well that is safe.