That turns the second factor into a single factor, so that's not what happens. Usually "I forgot my password" still requires something in addition to your 2FA code -- usually an email sent to your alternate email address.
I'm not so much worried about a thief gaining access to my account, I'm more worried about losing access to my account myself when I lose that second factor. Misplacing a hardware key or having your phone stolen is bad enough, but if you can't log into your account to change your password because you no longer have access to the second factor, it's many times worse. And I don't even have to lose it. Sweaty hands or having wrinkled skin from swimming for a couple of hours is all it takes to not be able to log in with a fingerprint scanner. Face recognition fails in bad lighting. If 2FA is so important, they need to come up with better implementations.
Another point: if your passkey goes on several places at once, like in your mobile and email, they only need access to one of them to steal your account. A double edged sword.
A phone company manager in NJ was charging about $1000 in crypto to do SIM swaps. Bleeping Computer covered it in March 2024. Never link anything important with your phone number. You're just giving the keys to people who don't care about you.
If you mean it signs you in without needing a 2fa code, it's likely they have a conditional access policy in place that provides the 2nd factor automatically. This could be a location based policy or a way of setting approved devices etc.
The next best after security keys is passkeys. I’m assuming it wasn’t brought up in this video because it’s really replacing passwords and still not available everywhere. Yet it also is a 2FA method using your device like phone and face ID. I enjoy watching your episodes even though I know a lot of what is talked about but still learn something new once in a while and is a nice refresher on things.
That phishing at 2:40... how does a fake website know to send you the real company's code? Or how does your real website account know you are logging into a fake website that it sends you the code? I haven't met this one yet.
Question: Let's assume that "man in the middle" on that fake site. Can it be helpful to limit the 30 second window to much less by simply waiting to copy the 6 digit code? Giving the crook less reaction time to use that code on the real site?
@@askleonotenboom Another RUclips IT guy demonstrated that after installing Tic Tok on his sample device, Tic Tok directed content to him based on other apps installed on the device. He had installed a vacation planning app and a dating app, upon accessing Tic Tok similar content was directed to him based on particular searches on those apps.
No different than if you have Facebook, X, Linkedln, etc. on your phone. They all take your info, use it and sell it. Get used to it. Oh, and so does your brand new TV set.
✅ Watch next ▶ Why ANY Two-Factor Is Better than No Two-Factor ▶ ruclips.net/video/2DNJqjGLHR8/видео.html
If they don't have your password, they will just say 'forgot password' and use the 2 factor/OTP if they have the sim
That turns the second factor into a single factor, so that's not what happens. Usually "I forgot my password" still requires something in addition to your 2FA code -- usually an email sent to your alternate email address.
@@askleonotenboom, This is what saved my bacon when some bastard stole my number, needless to say I ain't with that phone company any longer. 👍👍
Yes, I have graduated from no factor up to 15 factor authorization! :)
Oh, I got some catching up to do!!😁
I'm not so much worried about a thief gaining access to my account, I'm more worried about losing access to my account myself when I lose that second factor. Misplacing a hardware key or having your phone stolen is bad enough, but if you can't log into your account to change your password because you no longer have access to the second factor, it's many times worse.
And I don't even have to lose it. Sweaty hands or having wrinkled skin from swimming for a couple of hours is all it takes to not be able to log in with a fingerprint scanner. Face recognition fails in bad lighting. If 2FA is so important, they need to come up with better implementations.
askleo.com/two-factor-loss-risk/
Another point: if your passkey goes on several places at once, like in your mobile and email, they only need access to one of them to steal your account. A double edged sword.
A phone company manager in NJ was charging about $1000 in crypto to do SIM swaps. Bleeping Computer covered it in March 2024.
Never link anything important with your phone number. You're just giving the keys to people who don't care about you.
My university has mandatory 2fa that oddly does not work on university controlled machines ( library pcs and lectern pcs)
If you mean it signs you in without needing a 2fa code, it's likely they have a conditional access policy in place that provides the 2nd factor automatically. This could be a location based policy or a way of setting approved devices etc.
The next best after security keys is passkeys. I’m assuming it wasn’t brought up in this video because it’s really replacing passwords and still not available everywhere. Yet it also is a 2FA method using your device like phone and face ID. I enjoy watching your episodes even though I know a lot of what is talked about but still learn something new once in a while and is a nice refresher on things.
No Passkeys is same factor authentication.
@@StijnHommes Its a password replacement
Thanks Leo
Regarding 2:40 : didn't AT&T have a huge breach several months ago?
Thanks Leo. I use two factor authentication and also don't bank or pay bills online.
My Iphone (and the one before it) regularly "forgets" my fingerprint. Very frustrating.
That phishing at 2:40... how does a fake website know to send you the real company's code? Or how does your real website account know you are logging into a fake website that it sends you the code? I haven't met this one yet.
It's a man-in-the-middle attack. I've got an article/video coming on that.
I'm thinking if all the films where they kill you then use your face, finger, iris to open your phone.
Hah. But if you’re dead, why do you care? 😀
@@bv226 lol. They'll get all your money, instead of it going to your family.
Great video, provides a lot of relevant information in a very digestible fashion :)
Great video. Thanks.
Computer=machine
You said you muted that time I caught you plagiarizing...
Question: Let's assume that "man in the middle" on that fake site. Can it be helpful to limit the 30 second window to much less by simply waiting to copy the 6 digit code? Giving the crook less reaction time to use that code on the real site?
I suppose, kinda, but you'd have to do that EVERY TIME you use a 2FA code, just in case you didn't notice it was a man in the middle.
Really thanks we always learn a lot from you sir
👍👍 JimE
If the online service is breached, can't they find a secret key in the database somewhere?
Nope. Or maybe yes, but that's only half of what's required. Without your matching 2factor key it's not usable.
Wonder how safe all these things are if you have Tic Tok on your phone that you use to login and get your SMS text code
So far there's no evidence there's a problem at all. Just a lot of FUD and posturing. I'd love to see some proof.
@@askleonotenboom Another RUclips IT guy demonstrated that after installing Tic Tok on his sample device, Tic Tok directed content to him based on other apps installed on the device. He had installed a vacation planning app and a dating app, upon accessing Tic Tok similar content was directed to him based on particular searches on those apps.
No different than if you have Facebook, X, Linkedln, etc. on your phone. They all take your info, use it and sell it. Get used to it. Oh, and so does your brand new TV set.
A dedicated prepaid SIM card for 2FA - no more SIM swap scams?
@@Adam497 Something non-invasive?
the question I have is: how to hack my facebook account that was hacked with 2fa?