Over 5,300 GitLab servers exposed to zero-click account takeover attacks - eviltoast
  • Mikina@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 months ago

    I see. IIRC from school, “factor” actually has a definition - it’s either something you have (keycard, phone), something you are (biometrics) or something you know (password).

    For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that’s also why I.e email isn’t really a MFA.

    So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).

    • CubitOom@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      It’s still two separate passwords so I think it qualifies as 2 factors.

      But yes the password manager has one gpg key which only has one passphrase used to decrypt the passwords saved in the password manager. So if that was compromised then so would all passwords