this post was submitted on 28 Jan 2024
355 points (99.2% liked)

Technology

58133 readers
4395 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
355
Over 5,300 GitLab servers exposed to zero-click account takeover attacks (www.bleepingcomputer.com)
submitted 7 months ago by [email protected] to c/[email protected]
50 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 7 months ago (1 children)

I'm just using my password manager in place of the authenticator app.

So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.

They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.

So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.

I suppose it brings up the idea of what a "factor" is in how it's used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that's constantly changing.

[–] [email protected] 2 points 7 months ago (1 children)

I see. IIRC from school, "factor" actually has a definition - it's either something you have (keycard, phone), something you are (biometrics) or something you know (password).

For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that's also why I.e email isn't really a MFA.

So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).

[–] [email protected] 1 points 7 months ago

It's still two separate passwords so I think it qualifies as 2 factors.

But yes the password manager has one gpg key which only has one passphrase used to decrypt the passwords saved in the password manager. So if that was compromised then so would all passwords