📣 s3131212

When "Two-Factor Authentication" (2FA) Aren't Two

I was using my online banking service to transfer money today, and in my country the transfer requires an SMS OTP (yes, I know SMS is terrible for security). I noticed that my Mac automatically filled in the SMS OTP that was sent to my iPhone, even though my iPhone was still locked.
The idea behind SMS OTP is that it proves you "have" the device. But in this case, as long as the device is nearby, my Mac can read and use the code without me unlocking the phone. I don't even need to touch the device. So the "possession" factor doesn’t really work the way it's supposed to.
It got me thinking, are there more examples where 2FA accidentally collapses into a single factor? Or where the two factors aren’t as independent as we assume?
I find this pretty interesting and want to look more into it, but a quick search hasn't turned up much. Does anyone know if people have already written about this?

👤 winstonwinston Accepted Answer ✓

That is how it works if you have Messages sync enabled. Other MFAs are also synced on Apple devices: TOTP and Passkeys are synced via iCloud Keychain to all iPhones and Macs using the same iCloud Keychain account.
I believe google synced TOTP and Passkeys between Android devices using same google account, i did not test this though.
Obviously one can disable sync, but imo synced MFA is what most want anyway.

Web Analytics Made Easy - Statcounter