Password leaks are server-side. If they don't know how to properly hash passwords, how you can trust them to implement correctly 2FA?
Bruteforcing is not realistic with even medium password strength.
If by "rubber hose", you mean physically coercion, what would forbid the attackers to coerce you for your email or your phone as well?
I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
> I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
> Yes. Google and Facebook aren't the only ones.
> You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
- It could also be a token that gets sent to your phone or email and you input (like Facebook, Google, banks)
- An action you need to perform on another device (another bank)
- Google Authenticator (and other authenticator apps)
- I have also seen a message encrypted with your GPG public key that you decrypt and submit.
I have seen all of the above in different circumstances. The only one I have never seen is biometrics and it's usually because of the cost. Also, you can't change chop your finger of so it's harder to recall if there are issues unlike the rest.
> most people are not referring to this when they are talking about 2FA.
I only know what I have seen and have worked with.
I use Authenticator for SSH'ing into servers. My banks send me a code or I need to launch their app (CapitalOne) on my phone. My business account had a physical device that generated a token that I had to input in order to login. I have used software in the past that required a key. GPG I have seen in some questionable sites when crawling them.
> Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
AWS is using TOTP (Time-based One-time Password) as specified by RFC 6238. Off the top of my head, the same protocol is supported by Google, Lastpass, Dropbox, Fastmail, Github, Wordpress, Evernote and Outlook.com. So it stands to argue that this is, in fact, one of the schemes most people are referring to when they are talking about 2FA.
Leaks can be client-side, too. Outdated or zero-day exploits could easily allow attackers to get a (replayable!) password or hash from a browser, improperly terminated VPN, SSL stream, etc.
An ephemeral TOTP value is almost useless to them in this case.
As for rubber hose: if your 2FA smartcard/token/device isn't carried after you leave the office (for example), attackers getting your password via a mugging out the street is less useful.
