Gregory's ServerCould I ask you for a bit more explanation?
If a crook goes to my bank's website, types in my email address, and clicks "forgot password," then even if the crook is able to intercept the one-time authentication code that's texted to my phone, they still won't be able to get into my bank account, unless they're first able to get into my email account to get my "reset password" link, right?
@barney @SwiftOnSecurity
But basically what swift is describing is both:
that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)
Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)
Plus like your example that verifies email, if they get into your email because it allows single factor, isn't that the same thing?
@barney @SwiftOnSecurity
But basically what swift is describing is both:
that a lot of services let you use your phone as a full login method if everything else fails without additional auth by default (example Gmail. Pretend you forgot your password and try it)
Also your password may leak, be stolen or reused from somewhere compromised and you expect the 2fa to protect against that (example bank)