> Now, the challenge here is intercepting that email message, but that's a trivial feat: it's in plaintext and you probably know where it was sent.

No. Just no.

This is exactly the same difficulty as compromising the account you're attacking RIGHT NOW.

The email isn't plaintext (it's almost certainly smtp over tls/ssl). Knowing where it was sent doesn't help you. Executing a takeover of the email account is roughly equivalent to executing your current attack.

---

>So am I wrong? Is this a nothingburger, or is it really what it appears to be: security theater, brought to us by techbros who don't know how to roll their own auth?

Yes. You're wrong. They absolutely DO know how to roll their own auth. It turns out basically no one actually wants real 2fa where a lost device/key means losing the account.

Right now, for good or for bad, an email address is one of the few sane ways to identify a user. Getting my email is roughly the same as having a wallet with my id - online sites will trust that ownership == identity.

Particularly secure companies will sometimes require you to verify identity another way during recovery (ex: Google has asked for a notarized copy of my ID) but for most accounts the extra security likely harms more users than it helps.

It strikes me as easier to target a specific user, and try to steal their email credentials (phishing is still ridiculously successful), and then basically get access to all of their online accounts.

I would tend to agree that if I did lose my password, then upon change of said password, I should still provide the 2FA challenge when actually logging in. Alternatively, the password change flow should not be started unless I provide the 2FA challenge itself. After all, what are the odds I lost both the password and the 2FA device?

Equally, I use two yubikeys; one as my primary and one as my backup. Every time I register a new account I have to hope the service actually allows me to register multiple security keys (looking at you PayPal) or store the TOTP on both keys. Whenever possible, I disable TOTP if Webauthn is supported, however this is quite commonly not possible (Binance I believe doesn’t even allow you to disable SMS recovery).

> It strikes me as easier to target a specific user, and try to steal their email credentials (phishing is still ridiculously successful), and then basically get access to all of their online accounts.

Yes - this is absolutely the case.

> I would tend to agree that if I did lose my password, then upon change of said password, I should still provide the 2FA challenge when actually logging in. Alternatively, the password change flow should not be started unless I provide the 2FA challenge itself. After all, what are the odds I lost both the password and the 2FA device?

The problem is not that the odds are high (although they are higher than you'd expect). The problem is that the odds are not zero. So you have to either fall back to a much more expensive verification method, or you have to accept that this account is a now a zombie account with an unhappy user.

In many cases - the cost to a business of dealing with a small number of compromised accounts is much lower than the cost of having a real verification system for identity and recovery for failed 2fa.

It's not even that unreasonable a stance, since identity verification is a Hard (with a fucking capital H) problem. At best you tend to be praying that the local government (or bank) for that user's region has a decent identification system and good records, or that the user has a preponderance of evidence in their favor.

So... long story short, this is a hard problem. Lots of businesses would still prefer the government take a more active role even in the US (ex: https://www.cfr.org/report/solving-identity-protection-post-... and I've been hearing about similar plans to use the USPS as identity verification for at least a decade now)

What you say makes sense. I just wish I were able to make that call for my accounts, instead of companies making it for me.

The user should be able to decide whether they want ease-of-use and convenience over actual security. I am fine with losing an account if I lose the ways I've setup to prove I own it.

This is also only an issue when it comes to non-company use. For companies, there's always an admin user who can reset your 2FA/password next time you walk into the office.

If they don't have 2FA on their email, and you have their password, that is bypassing the 2FA. :) Single factor. Password. No physical device, no 2FA.

> Google has asked for a notarized copy of my ID

Very interesting. Could tell how long did it take, how was the process of recovering your account?

I'm in one of those months that I panic and wonder if I should disabled advanced protection.

This was not for a personal account. It was recovery of a business account that was locked for session hijacking (intentional and done as part of developing a potential feature, but session hijacking none-the-less).

At the time (~2013) it triggered a complete lockout and manual verification of billing identity (notarized ID) to get back in.

They don't do it for personal accounts, as far as I know. Honestly, I'm not sure the Google of today would do it for a business account.

Agreed, that's like saying, "it's easy to rob a bank, just get the keys."

Most "two factor" is indeed just completely fake. The idea is that by getting people to verify with a phone number, you can harvest data about them and make money from them. That's it. A sham, scam, whatever.

"The idea is that by getting people to verify with a phone number, you can harvest data about them and make money from them."

Welcome to OpenAI.

> it's in plaintext

Is it? Obviously it gets sent to the mail server, but that's usually TLS encrypted. Worth checking if it uses STARTTLS, but not that bad.

> Let's call it 0FA.

No, still 1 factor.

The email is a replacement factor for the password, so this is still 1FA. This would also be an issue if email was a recovery factor for either password or MFA.

I always advise people to MFA their email accounts because that’s where all password resets are sent making it single target for many account takeovers.

They are weighing the customer experience (and support costs) of all lost MFA being locked out or requiring lots of human intervention against the likelihood of your email or physical device getting owned.

> Is this a nothingburger, or is it really what it appears to be: security theater, brought to us by techbros who don't know how to roll their own auth?

Are those the only two options?

All 2FA is security theater. All 2FA in use today is normally just 1FA pretending to be 2FA. If I have your phone, then I have everything I need to login. That's 1 factor. 2FA is only 2FA if the physical device ownership requirement does not have access to use the thing being accessed. Why? Because you store passwords on that device. That device has your password. If I have the device, I have your password. You would have to use no auto-fill and memorize your passwords so that the physical device does not have your password in it. The point is, if I get one factor, I don't have the other. But in reality, our physical devices can access the thing we want, and therefore you likely store your credentials on that device.

> All 2FA is security theater.

Might be the worst take I have seen on this website. Anyone with first hand experience in corporate information security will not agree with you. Fact of the matter is 2FA stops majority of credential/phishing based attacks. Because majority of attackers are casting a wide net and will simply give up. Is it perfect? No. But to say its all security theater is ignorant.

Does anyone have resources or links on this topic? I was not succeeding in finding it being discussed on the open web. Is there a term for it that I need to know?

It's a common problem with consumer MFA. The MFA part isn't the hard part of MFA.