A few months ago, I lost my 2fa code for one of my accounts. I emailed the service, and they disabled my 2fa without asking for any proof. But had my email been compromised, a threat actor could have done the same and got access to my account. Does this mean 2fa is no longer safe? Does this also mean services can disable Yubikey 2FA whenever they want too? I feel from both a privacy and security standpoint this is very very concerning.
Update: Upon asking more knowledgeable people, it seems that the company is at fault here, and ideally should not disable 2FA without recovery codes. 2FA is safe, all I had is a misconception. The lesson learned is, only put important stuff in companies you trust who won’t do this. While it is an old account of mine which I no longer used, I was still confused and tensed!!
So it seems what happened to me was just a bad occurance. Perhaps the customer representative on the other end had a bad day and without checking further just approved my request, but companies only do so if they have 100% confirmed that I am the actual owner of the account.
The core lesson here is that offering a security/privacy functionality is half the equation; its implementation & how it integrates with the rest of the ecosystem can be equally important.
I’m not sure what the details are for this specific account, perhaps they have automated checks based on IP addresses/etc. but the point still stands:
- A certain mobile provider allowed me to reset a password online after messaging live customer support, with 0 proof I owned the phone number, and the phone number wasn’t required for the password reset. AKA, anyone who knew a phone number can easily social engineer their way into an account. Does this mean passwords are no longer safe? No, it just means that the way the password is utilized by this mobile provider has a massive flaw if it were to be discovered.
- Recently, MEGA dealt with the exploit in their zero-knowledge encryption which allowed the possibility for MEGA to be able to access files that were supposed to be E2EE. Does this mean E2EE/ZKE aren’t safe? No, it just means their implementation and when/where its utilized may have severe implications.
To answer your question, yes 2FA is generally safe itself. But that doesn’t mean it isn’t possible an account can disable 2FA without verifying you. It doesn’t mean someone can’t phish a TOTP code. It doesn’t mean your phone number for 2FA won’t be used for advertising purposes. It doesn’t mean the service won’t store TOTP seeds in plaintext on an insecure server. etc.
That being said, even in this scenario where OP’s account was reset without any proof of owning the account, it’s still better to have had TOTP for 2FA rather than via phone number for the same reasons Henry mentioned. If both phone number and TOTP 2FA can be social engineered for this company, at least with TOTP you are not also exposed through a potential SIM swap if the attacker didn’t know about the vulnerability from this specific company.
Not to say that Henry would disagree with this, but it’s another factor to consider. You’re still better off for having TOTP enabled even in this case I think.
You may want to look for an alternative to this company now that you know, lol.