Comment on The steam mobile app telling me to open the steam module app to login to the steam mobile app .
bighatchester@lemmy.world 1 day agoAll options eventually led to customer support. So now I’m waiting for steam to give me permission to access my games . It’s frustrating that I can know my password and can access the email connected to the account. But for some reason that’s not enough .
Creat@discuss.tchncs.de 1 day ago
That’s the point of real 2fa. And the prices of activating it also makes it very clear. I find it incredibly frustrating when I activate 2fa on some service, and they allow email as a callback that I can’t turn off. Cause that turns out back into single factor, being the email. That’s what the recovery codes are for.
Otherwise, if someone has access to your email, they can just reset the password and get access (cause that is the 2nd factor). Then they can change the associated email address and that’s that.
TrickDacy@lemmy.world 1 day ago
How is it not 2fa if it involves any method besides your password? Your password is factor 1, something else is factor 2. That can be a number of things.
Randelung@lemmy.world 1 day ago
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.
Creat@discuss.tchncs.de 1 day ago
Like Randelung said, that would be true if you couldn’t reset you password via email. But as long as that’s possible the email can’t ever be the 2nd factor because it can be used to (re)set the 1st one.
A safer definition of what the 2 factors should be is “something you know” and “something you own”. The “know” is usually a password (which you can remember, but you should use a password manager these days so you can have a different password for every service). The “own” is typically a phone these days (generating a timed code, for example). But it doesn’t have to be, it can be a physically USB dongle or your fingerprint. The idea is that it’s something that can’t be overheard, or recorded via key logger or or even told to someone.
Steam does this better (as in safer) than most.