undefined | Better HN

0 pointsbaby5y ago0 comments

Some websites also allow you to disable or rotate your 2FA creds if you're already logged in, without having to re-authenticate with your second authenticator.

0 comments

jabbany5y ago

This seems a little dangerous since now the logged in state (likely cookies but maybe also hashed with identifiers like IP etc.) becomes considerably more valuable to steal.

I actually see the opposite done, where any changes to login related things (passwords, 2fa keys) mandate a 2fa re-auth.

babyOP5y ago

Heh, stealing a logged state is bad no matter what unless you’re requiring re-auth on important operations. The risk of one losing their second factor is much much higher.

j / k navigate · click thread line to collapse