If an app or web service offers two-factor authentication, you should be using it. Here's how it works and what sorts of pitfalls to watch out for. https://ssd.eff.org/module/how-enable-two-factor-authentication
@eff Uhh, this is wrong or misleading and you even give the reasons for it:
> Even if someone were to get ahold of your password, they could not access your account unless they also had your mobile phone or another secondary means of authentication. This is particularly important since data breaches that include user passwords are a common occurrence. Websites get breached all the time and reveal a person's password and username. 2FA is not an alternative to using strong and unique passwords, but it can provide a small extra layer of security in case someone has hit gold plugging your username and password into a different site.
2FA via TOTP only adds a layer against the mentioned attack ("password stuffing") *if* you don't already use unique passwords. So while yes, 2FA is no alternative to unique passwords... unique passwords are an alternative to 2FA for exactly the scenario you describe.
Indeed, 2FA TOTPs only protect reasonably against password stuffing¹ and they are useless if you have unique passwords. Which actually shows that they aren't real "second factors" since it's not the second factor that's improving security but the randomness that "unique-izes" the password.
Just abolish TOTPs, use unique passwords.
@ljrk @eff Nope, TOTP protects against more than that. For example, against someone seeing or recording you type your password. Or against hardware keylogger between the keyboard and PC. Or against online password manager breach. (TBF people shouldn't use web services to store passwords.)
TOTP's value lies in two facts:
- Code is generated on a different device.
- Intercepting the generated code does not reveal the secret.
