> I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
> Yes. Google and Facebook aren't the only ones.
> You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.
Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
- It could also be a token that gets sent to your phone or email and you input (like Facebook, Google, banks)
- An action you need to perform on another device (another bank)
- Google Authenticator (and other authenticator apps)
- I have also seen a message encrypted with your GPG public key that you decrypt and submit.
I have seen all of the above in different circumstances. The only one I have never seen is biometrics and it's usually because of the cost. Also, you can't change chop your finger of so it's harder to recall if there are issues unlike the rest.
> most people are not referring to this when they are talking about 2FA.
I only know what I have seen and have worked with.
I use Authenticator for SSH'ing into servers. My banks send me a code or I need to launch their app (CapitalOne) on my phone. My business account had a physical device that generated a token that I had to input in order to login. I have used software in the past that required a key. GPG I have seen in some questionable sites when crawling them.
> Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.
AWS is using TOTP (Time-based One-time Password) as specified by RFC 6238. Off the top of my head, the same protocol is supported by Google, Lastpass, Dropbox, Fastmail, Github, Wordpress, Evernote and Outlook.com. So it stands to argue that this is, in fact, one of the schemes most people are referring to when they are talking about 2FA.
Yes. Google and Facebook aren't the only ones.
> I think that the main reason 2FA has been pushed, it's for the Facebooks or the Google to have good reasons to get your valid email and your valid phone number.
You don't need a valid phone number to implement 2 factor authentication. There are implementations that require it, sure. But it's not the only way.