My knowledge in this area is limited.
What I do know is that the extra safety provided is fairly simple.
Suppose I somehow figure out your password and username (or email)
for your Amazon account. Without TFA, that would give me access to
your recent purchases and depending onwhat you have configured might
even allow me to make purchases charged to your credit card.
With the additional TFA, I can get past the password prompt but then
will be stuck at the prompt for the code that has been sent to your
cell phone and not to mine. And you'll get that prompt and know that
(1) someone got hold of your password so you need to change it; and
(2) at least that someone did not get into your account.
As you mention, breaches can happen on many levels and in many
places. You choosing a secure password, keeping it safe, and not
sharing it with anyone only guarantees that you won't leak it. It
can still be leaked if the company gets succesfully hacked.
Free security / password advice for all who are reading here:
A few years back, I got an email from LinkedIn apologizing for the
inconvenience because they had their accounts data stolen. At that
time I worked with perhaps four passwords that I had memorized and
reused. A much needed wake up call for me. I changed all my
passwords. I registered at clipperz.is
(a free service), a service
that helps to generate random passwords (typically 24 completely
random characters, insanely hard to crack) and store them securely
encrypted on their servers. Even if their servers get compromised,
nobody will be able to decipher my information without knowing my
passphrase. So the only gamble I took is that I trust the
advertising and information given by clipperz.is
(if they're a scam
then I am royally screwed since I have ALL my passwords there!)
When I now sign up for a new service, I simply let clipperz.is
generate a random password for that site only, and store it so I can
always copy/paste it when I want to log on.
So now, if e.g. LinkedIn gets compromised again, the hackers will
still have my logon data for LinkedIn but it won't work on any other
Op 15-11-2021 om 14:08 schreef Johnb -