Once upon a time, Tim <ignored_mailbox@xxxxxxxxxxxx> said: > That's one of my gripes about two-factor authentication - it > (typically) uses your phone. Steal someone's phone, and it's > everything they need to pretend to be you. That's going to be true of any second-factor device. In theory, MFA is "something you know plus something you have", but we use too many passwords to "know" them all, so we use password managers. Then the "know" is just one password manager master password... but the "have" is often stored in the same password manager (because where else are you going to store it?). It still helps, because while people may re-use passwords (so one breach can lead to access at other sites), the 2FA codes are unique per site (so breaching one site won't lead to other sites). The password/MFA code master password (and encryption) is the single point of security then, but that's still usually harder to breach. Most devices have "good enough" security, so someone getting your device doesn't help them unless they get it in an unlocked state (and even then, gets ONE person breached, not a million). But at that point, you're also down to the wrench attack. https://xkcd.com/538/ tl;dr: login security is hard -- Chris Adams <linux@xxxxxxxxxxx> -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue