That turns the second factor into a single factor, so that's not what happens. Usually "I forgot my password" still requires something in addition to your 2FA code -- usually an email sent to your alternate email address.
I'm not so much worried about a thief gaining access to my account, I'm more worried about losing access to my account myself when I lose that second factor. Misplacing a hardware key or having your phone stolen is bad enough, but if you can't log into your account to change your password because you no longer have access to the second factor, it's many times worse. And I don't even have to lose it. Sweaty hands or having wrinkled skin from swimming for a couple of hours is all it takes to not be able to log in with a fingerprint scanner. Face recognition fails in bad lighting. If 2FA is so important, they need to come up with better implementations.
The next best after security keys is passkeys. I’m assuming it wasn’t brought up in this video because it’s really replacing passwords and still not available everywhere. Yet it also is a 2FA method using your device like phone and face ID. I enjoy watching your episodes even though I know a lot of what is talked about but still learn something new once in a while and is a nice refresher on things.
A phone company manager in NJ was charging about $1000 in crypto to do SIM swaps. Bleeping Computer covered it in March 2024. Never link anything important with your phone number. You're just giving the keys to people who don't care about you.
If you mean it signs you in without needing a 2fa code, it's likely they have a conditional access policy in place that provides the 2nd factor automatically. This could be a location based policy or a way of setting approved devices etc.
That phishing at 2:40... how does a fake website know to send you the real company's code? Or how does your real website account know you are logging into a fake website that it sends you the code? I haven't met this one yet.
Question: Let's assume that "man in the middle" on that fake site. Can it be helpful to limit the 30 second window to much less by simply waiting to copy the 6 digit code? Giving the crook less reaction time to use that code on the real site?
Another point: if your passkey goes on several places at once, like in your mobile and email, they only need access to one of them to steal your account. A double edged sword.
@@askleonotenboom Another RU-vid IT guy demonstrated that after installing Tic Tok on his sample device, Tic Tok directed content to him based on other apps installed on the device. He had installed a vacation planning app and a dating app, upon accessing Tic Tok similar content was directed to him based on particular searches on those apps.
No different than if you have Facebook, X, Linkedln, etc. on your phone. They all take your info, use it and sell it. Get used to it. Oh, and so does your brand new TV set.
