• IllNess@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 days ago

    The way I looked at it, it’s no different than having a mobile device with a password manager on it, because if someone steals your mobile device, they have access to everything as well. So the two-factor authentication apps shouldn’t be on desktop argument never made sense to me, mobile is the same way.

    That is true. And more phones are stolen now than computers. Computers can have the same security and encryption if properly configured.

    Even though you make a logical point, something in my gut doesn’t feel right.

    • FrederikNJS@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      These are great points, but there is something more that phones have going for them.

      All modern phones are full-disk encrypted by default, and can be remote wiped. I think this is only the case for Mac laptops, but not for Linux and Windows.

      So if your phone is stolen, it’s not really a risk of the thief having your password manager and your 2FA at the same time, but rather can they get in to your phone and then password manager and 2FA before you can trigger the remote wipe.

      Unless the attacker is sophisticated enough to mirror the whole disk and attack it offline.

      • IllNess@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        Yeah. You have great points. A lot easier to wipe a device that is actively connected. Laptops don’t usually have that luxury. It is a lot easier to take apart a laptop. It is easier to plug in a USB HID for brute forcing or to constantly move a pointer to prevent it from going to sleep.

        I guess that’s the feeling in my gut.

        Thank you for your input.