2FA is Still Too Complicated for Most People
https://secarch.dev/posts/2fa-is-still-too-complicated-for-most-people/ [secarch.dev]
2019-04-02 02:54
What is there to be familiar with? Terminology for one. What do you mean “Google Authenticator” isn’t a Google service that is automatically backed up and instead it’s an implementation of something called OATH-TOTP? Are recovery codes backup codes? How does that compare with something called recovery tokens? Are backup codes exclusively backups for 2FA or for the whole login? What do you mean a password reset via email doesn’t allow me to deactivate 2FA? Is it possible to change my password without 2FA? Can I deactivate 2FA if I lost my device, but still have an active session? How often do I need to use my second factor device for login anyway?
source: L