It muddied the waters as to who is responsible for security, the website or the user. I believe the move to 2FA was actually a backwards step in the way most websites implement it.
It is certainly less onerous but there are broader implications. Now I am not suggesting this is not a good and worthwhile feature, but we should question whether it is anymore secure than a long master password. But somebody picked up your phone during that 5 minutes and the first thing they did was add their fingerprint or face to the phone. No one can break into your phone right? If you lost or misplaced in then in that 5 minute window it is totally unsecured.īut you arrange it so that the token MUST operate along side face recognition or fingerprint right.
Its usually a phone and has a feature where it locks every 5 minutes right (5 minutes, in your dreams you listen to music or are expecting an urgent call so it is unlocked for 1 hour)and when it recognizes your face/fingerprint it unlocks. Remember once you open the vault you have access to all your security information for you bank, your porn sites…everything. So what you have achieved is to move your security from the website to your device. Now what about with an encrypted token that you store on the device. You would have single factor authentication The website then queries or sends something to your device to confirm the action.īUT how do most websites allow you reset the password? You do it by a Forgot Password which resets the password and to confirm it is you it sends the second part of the 2FA.īut why couldn’t you do this EVERYTIME?. So you login to a website and plug in your password. Something you know is a password or pin and something you have is the device. Something you know and something you have. At a fundamental level relies on 2 SEPARATE things for security. Can I chime in with something of concern with this feature.įirstly, 2FA.
0 kommentar(er)
