Random thought I’ve been having as we keep bringing this topic up these past few weeks…
How interesting or uninteresting would bi-modal 2FA be ?
That is: you receive a code by text and you enter the code by email…
I haven’t spent any time to work out whether this significantly changes the attack surface but… At first glance it does seem like you would need to own two different account types…
… So I guess a first question would be: does this exist anywhere? Has anyone ever seen this or done this?
Bi-modal 2FA is already here: you receive a code by text and you enter the code in your web browser (or a proprietary app like a banking app).
Moving from web browser to email for entering the 2FA code means that you (the user) have to make sure to send email to the correct address, not one provided by the attacker.
How interesting or uninteresting would bi-modal 2FA be ?
That is: you receive a code by text and you enter the code by email…
I haven’t spent any time to work out whether this significantly changes the attack surface but… At first glance it does seem like you would need to own two different account types…
… So I guess a first question would be: does this exist anywhere? Has anyone ever seen this or done this?