Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
This is where you’re supposed to run the find my phone from another device where you’re already signed in, such as your laptop at the hotel room. Or alternatively have one of your partner’s accounts as a backup 2FA method since your partner probably didn’t lose their phone at the same time.
If anyone can sign into the account and lock the phone as lost with just a username and password then the moment your username and password are breached/guessed your entire account is as good as gone
A lot of people here are treating me like I’m stupid when my only point really is that Google knows the one way I cannot recover my phone was with the phone itself so it’s not a smart design to offer that. Carrying more devices isn’t a real option either, so I get that technically it’s possible, but smarter people than I should’ve come up with something better by now. No one can carry or afford a backup phone.
It’s ultimately the challenge that 2FA is a combination of 2 of the following: something you have, something you are, or something you know. Or as a Cisco security engineer once put it in a talk, a combination of something you’ve lost, something you’ve forgotten or something you were at one time but are no longer.
Ultimately, authentication sucks and there’s really no better way to do it for individuals than just having multiple backup methods, which of course is more opportunities for account compromise. It’s a lose-lose-lose situation