"You must be able to log in without the use of own electronic devices" gave birth to pre-generated list of (time-based) 2FA codes (for over 3 hours) rule:

u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org · edit-2 5 days ago

"You must be able to log in without the use of own electronic devices" gave birth to pre-generated list of (time-based) 2FA codes (for over 3 hours) rule:

mushroomman_toad@lemmy.dbzer0.com · edit-2 5 days ago

2fa is something you have and something you know.

Password is something you know, this paper is something you have.

Sanctus@anarchist.nexus · edit-2 4 days ago

Something you know, this paper will quickly become something everyone knows the minute the weakest link in your company security pipeline gets a hold of one.

piccolo@sh.itjust.works · 4 days ago

Thats why they are time sensitive.

Sanctus@anarchist.nexus · 4 days ago

Yeah and the first thing a pentester is doing is snapping a shot of that as they walk by. Its not taking long. Theres at least an hour that we can see in this screenshot. That is enough time.

mushroomman_toad@lemmy.dbzer0.com · 4 days ago

the paper is not something you know, it is not possible to memorize it.

Sanctus@anarchist.nexus · 4 days ago

Good thing we all have phones with cameras, and there are 2 hours worth of codes printed here.

mushroomman_toad@lemmy.dbzer0.com · edit-2 4 days ago

So now it is something that everyone has, it is still not something “you know”. Still counts as a second factor.

If you’re leaving your otp unlocked on your desk, you’re doing it wrong.

Sanctus@anarchist.nexus · 3 days ago

Do you work directly with the average user? They aren’t locking this in their desk drawers when they need it to login. This is getting left on someone’s desk 100%