> On 19.11.2022 at 16:54 Slavko via mailop <mailop@mailop.org> wrote: > > Please, can it be really as "simple"? If yes, then my inderstanding is, > that 2FA doesn't solves leaked passwords problem, as asvertised > by many sites, but it solves only that this problem will be selfsolved > as token expires (week or two), without user's password changes. > Is my understanding right? > > If yes, then 2FA is not holly grail of solving the SPAM & leaked > passwords problem, as attacker can send a lot of SPAM via this > phished account (ignore rate limiting for now) until OTP expires. > Right?
As an addition, Multi factor authentication doesn‘t say anything about which factors are used or their security. No MFA method provides unbreakable security and makes attacks impossible, however in any case it greatly increases the barrier for an attack. For example instead of passwords, which are changed every few months to never, TOTP expire every 30 to 60 seconds and make password reuse attacks impossible. U2F as another example, as mentioned by Ken, provides a secret that is cryptographically tied to a service/site which prevents phishing via lookalike or typosquatting domains. The problem with MFA is not that it‘s not secure, but rather that it is more difficult to use than 1FA and often also provides no simple recovery procedure for forgotten credentials. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop