Follow
@wmd@chaos.social Other: the security value in 2FA comes from having two isolated *environments* needing to be compromised, with each of them being at least nominally secured.
This is why "login on laptop with 2FA auth app on phone" is 2FA, but "login on phone with that same 2FA app" is not. And why a (safely designed) hardware key can make a good second factor (it's an isolated environment).
I hate the refrain of "something you know and something you have" so, *so* much. It's ambiguous, doesn't actually teach people *why* a second factor is secure, and it's at the root of so many wrong conclusions about 2FA...
@joepie91 @wmd
Unfortunately the MFA aspects aren't always isolated from eachother, which is the case with Google's popular OTP implementation. Once you have the shared key from the QR, storing said key becomes it's own liability. And this is where said isolation starts falling apart...