Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
A lot of people here are treating me like I’m stupid when my only point really is that Google knows the one way I cannot recover my phone was with the phone itself so it’s not a smart design to offer that. Carrying more devices isn’t a real option either, so I get that technically it’s possible, but smarter people than I should’ve come up with something better by now. No one can carry or afford a backup phone.
It’s ultimately the challenge that 2FA is a combination of 2 of the following: something you have, something you are, or something you know. Or as a Cisco security engineer once put it in a talk, a combination of something you’ve lost, something you’ve forgotten or something you were at one time but are no longer.
Ultimately, authentication sucks and there’s really no better way to do it for individuals than just having multiple backup methods, which of course is more opportunities for account compromise. It’s a lose-lose-lose situation