Simply not true. If you compromise the authenticator app, you would still need your password to gain access to those apps again. Do you even know what the app does?
No, I don't, which is why I asked:
Is Google's two factor auth the same as the Google Authenticator app being talked about above?
All it does is show time based codes. It does absolutely nothing else.
Good to know.
I'm very confused about what you are talking about. If time based authentication is not secure, then 2-factor authentication is completely unsecure because companies have been using this method for more than 10 years.
Time-based codes still aren't the problem here. in actuality, it's rather irrelevant. It is the use of the app to be able to get the codes that is the problem.
If someone gets
your app, not anyone else's, but your app, they could generate codes to get into your accounts, bypassing the two-factor authentication altogether, because they have one of your levels compromised. The second, being the codes, I am assuming would get you logged into the other services. That defeats the purpose of two-factor authentication altogether.
Here is what my job has set up for a particular
PCI/DSS-based environment:
- we log into our internal network, using Active Directory-based authentication (assume we are physically at our office). This is level 1 of TFA.
- to access the PCI/DSS environment, we use a key fob, which holds a SHA512 encrypted cert that is passed to our second-level server, as well as the password to unlock the fob so the cert could be read. That satisfies level 2 of TFA.
- once those two are met, we are able to use the server we connected to as the springboard to connect to the other servers in the PCI/DSS environment. logins to there are local or AD-based, though not listening on any office network-accessible NIC. That makes for 3 sets of authentication, though the first 2 are what passes for true TFA.
Using something that does level 2 for you completely defeats the purpose of TFA, even if time-based, because that software could be compromised (read: copied off, with your information still intact, as far as the app goes).
Wow. Dumbest comment of the year so far.
as a 20-year Unix sysadmin and ISO, I challenge you to prove me wrong.
BL.