On 13/05/2022 12:23, Nicholas Geovanis wrote:
That's the value added in exchange for Ash's "massive pain in the arse". Just making the 1st factor be a loong password is not equivalent to 2FA in any way. Machine reaching back to you is the difference.
There are attacks that 2FA can defeat, especially things like password reset via compromised email server, but in general, two weak factors are not a match for a strong unique random password. In particular, it is not uncommon for sms/email/totp second factor to resolve to exactly the same device as the first factor, reducing 2FA to a single factor. Compromise such a user's phone and it is all over.
If Bob username "bob" chooses password "bob123" (real example, name changed to protect the guilty) for both his email and website login, 2FA via email is easily circumvented by intercepting the email. If both email and website had strong unique random passwords, many attacks are prevented. Password reset attacks via intercepted emails on the email server remain a threat.
It is not enough for a password to be looong. It must be strong AND unique AND random. Even a strong password is exploitable if one compromised site can be used to obtain it and access many other sites. It has to be random because someone else may have used the first 100 decimal digits or pi or e or the first paragraph of your favourite book. Strong goes without saying.
Kind regards, -- Ash Joubert <ash@transient.nz> Director Transient Software Limited <https://transient.nz/> New Zealand