Questions tagged [multi-factor]
a multi factor authentication requires at least two sets of credentials. This is typically something you know (e. g. a password) and something you own (e. g. a token generator or mobile phone), but could also be something you are (a biometric).
736
questions
0
votes
0
answers
30
views
Is MS number-matching MFA still amenable to bypass in this scenario?
On August 2, 2023, the Microsoft security blog presented this scenario, in which the protection normally afforded by number-matching MFA on MS Authenticator can be thwarted:
In this activity, ...
1
vote
0
answers
111
views
Bypass Microsoft Account 2FA
The Microsoft account can have multiple ways to prove who you are for 2FA (two-factor authentication).
When you forget your 2FA security info you can initiate the account recovery process by clicking &...
7
votes
3
answers
1k
views
Passkeys: MFA or not?
According to different pages (e.g. OneIdentity, also a Google Security source I can't find anymore), using Passkeys does count as Multi Faktor Authentication. To my understanding, they argue, that the ...
1
vote
1
answer
115
views
How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone ...
0
votes
2
answers
104
views
Is the following considered 2FA?
user have a verified email in system A
user have a verified phone number system A
user's authentication method in system A is out of scope in this question, but it is password based
security measures ...
1
vote
0
answers
93
views
Attack against MFA: attacker triggering MFA prompt at the same time user is doing a legitimate transaction requiring MFA
Is there a name for this kind of attack against Multi-Factor Authentication:
Attacker is in possession of a user login and password, and is able to trigger a transaction or login which requires MFA ...
4
votes
1
answer
481
views
How important is HOTP/TOTP secret key security?
I'm prototyping an application that generates MFA codes. For developer simplicity I'm storing source data in clear text in Google Authenticator URI format (ex: otpauth://totp/totp@authenticationtest....
0
votes
0
answers
70
views
How to make SMS-based 2FA safer?
This is a problem that many of us face: A surprising number of financial institutions' websites offer additional authentication only via SMS and/or phone call. But I will refer to my situation ...
0
votes
1
answer
100
views
Do 2FA Codes on the same device defeat their purpose? [duplicate]
I have my iPhone connected to my MacBook and receive SMS codes on my computer, which is very convenient. I also recently learned you can have an authentication app on your MacBook too. I just wonder ...
-1
votes
1
answer
108
views
What 2FA should I use for my website login and what are the risks of 2FA?
Now I know this website is not for asking for specific software recommendations, but for my website for work purposes (as mentioned in another question,) I feel I need a more secure login protocol ...
0
votes
0
answers
28
views
Why is selecting a code in banking app necessary for MFA? [duplicate]
At my old bank, logging in via a browser required that I open their app on my phone and tap a button to authenticate my login.
My new bank is very similar but instead of a single button to click, I ...
0
votes
0
answers
24
views
If I'm rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]
My site's users currently do not have any MFA options, but we're planning to release this feature in the near future. We've already built support for TOTP and have it working internally, but some on ...
0
votes
2
answers
189
views
In 2FA, why can't the second factor be the computer? [duplicate]
When two-factor authentication is described to me, people always say that it's important for security to demonstrate at least two of 1) something you know, 2) something you have, and 3) something you ...
0
votes
0
answers
82
views
What types of attacks can MFA using an hardware authenticator prevent?
I recently looked into the topic of MFA in combination with some hardware authenticator (USB keys like Nitrokey/Yubico) to potentially improve the overall security of my digital daily activities (web ...
31
votes
2
answers
5k
views
What is the point of entering numbers in the two-factor authentication app?
Nowadays, 2FA apps usually require you to insert a number which you are presented with when trying to authenticate. For example, the following screenshot is from Microsoft Authenticator:
This is ...