undefined | Better HN

0 pointsmikeash6y ago0 comments

It won’t prevent an attacker from logging in as you at the moment, but it will prevent them from using stolen credentials later on.

0 comments

TrueDuality6y ago

If they can inject server code, they can bypass 2FA entirely. They don't need your 2FA code they'll just skip that part of the authentication.

The same goes for passwords, but with passwords there is the potential of additional value on other sites that haven't been compromised so those are always worth collecting.

mikeashOP6y ago

This particular scenario involved injecting server code in 2015, then waiting until 2019 to use the credentials they collected. They would not be able to bypass 2FA here.

It’s true that 2FA wouldn’t protect you from having your account compromised immediately, but that’s not what happened.

j / k navigate · click thread line to collapse