undefined | Better HN

0 pointsanothernewdude3y ago0 comments

2FA:

1. Doesn't protect against the developer actually being malicious

2. Is able to be broken, especially when both factors occur on the same mobile device.

3. Doesn't do anything to prevent the theft of API keys from CI/CD builds.

0 comments

1 comments · 1 top-level

2FA has never been described as protecting against (1) or (3). That’s not what it’s for; treating these as deficiencies is tantamount to criticizing a hammer for driving screws poorly.

2FA exists to make authentication more difficult for an impostor or attacker. The goal is to prevent account takeover, which has historically been a risk to critical packages in multiple ecosystems.

(2) is sort of ambiguous. I’m not aware of a major case of either TOTP or WebAuthn being compromised en masse because it was on the same device as the first factor. I’m not even aware of a case where WebAuthn has been meaningfully attacked, full stop, despite theoretical breaks of hardware stores. Even with a full break, WebAuthn provides detectability: cloning the factor means cloning the counter, which will alert the user on the next login. On whole, I think it's incorrect to frame 2FA as generally breakable without qualifying the threat and explaining how it applies to PyPI users.

j / k navigate · click thread line to collapse