No, because a breached email account shouldn’t allow attackers access to accounts secured with 2FA - that’s one of the main ideas why to use 2FA in the first place!
It’s very different. If your stock app wouldn’t be sh!tty it would allow encrypted backups of your TOTP seeds like every other good TOTP app.
Also (again) a “lost” (secondary) email shouldn’t allow attackers access to your account as long as they a properly protected by 2FA and don’t include a backdoor.
Still no idea what you are talking about. Ether your (unnamed/unknown) stock app is so crappy it doesn’t have basic functionalities (then change your whole OS if you don’t want to change only one app) or you are not capable of taking backups while your stock app actually allows this.
Funny, their was a rule when I lived in an apartment building with shared access keys that all needed to be changed when only one was lost - and it happen more than once that all keys were changed!
The thing is that this is a single factor (not the one you know but the one you have). Every person in possession of such a key has access to all shared areas even when not living in the building.
When talking about factors in password security there are 3.
Something you know, like username and password
Something you have, like a paper with codes printed out before-hand
Something you are, like a fingerprint or eye retinal.
Originally anything digital would be considered something you knew, because the something you have section was defined by the fact that it had to be physically possessed.
Digital versions of something you have has been made available by TPM chips in the devices, which makes sure that the digital information can not be copied to another device, so the device is thereby the something you have.
Something you are is usually not recommended to be used much, because if the information is somehow stolen, then it really hard to change that password method. New finger prints or eye retinals are not that easy to get.
Our company (security department) “classified” TPM as snakeoil somewhere around march this year and disabled all (UN)-Trusted-Platform-Modules on new machines as well as requesting all devices which are not scheduled to be replaced/switched till Q2/24 for a in-house overhaul to disable TPM.
Bugs and bad implentation of TPM allowing actually access to “protected” or “unreadable” content/secrets:
and the third one you should NEVER use!
Request for the feature request@emandt: Change the title to “Implement 2FA Backdoor”
Yeah, the theory is good. The implementation of it, not always so.
And sorry, if it was already mentioned in the thread. I skimmed it and did not see it.
