2 factor generally runs through the token model. So what happens is you go through a login that probably doesn’t even use your password, or if it does that’s only half the login, and then you get a token. That token is only useful on that computer and for a limited amount of time. It’s very secure BUT the setup time to get it going is rough, and on the user side it’s not terribly intuitive, and often involves user having to install apps on their phone, then you get a bunch of extra headaches when you have to switch phones. But it’s the wave of the future because it greatly limits the use, storage and transmission of passwords.
“doesn’t even use your password”
Got it. How about using the public-private key scheme that’s used for things like sending credit card numbers. I the user would create a private/public key pair and send the public key to the service I wanted to access. They’d send me a password encrypted with the public key. I’d decrypt it with the private key that only I had. Then I’d send them the password which would be usable only that one time.
Just thinking out loud.
“often involves user having to install apps on their phone”
What about using a PC? Do you think that would be applicable? We NEVER do anything financial on our phones, or even get email.
Tokenization is not new. We’ve been doing tokenization with Kerberos for decades. 2FA is really taking off with key providers out there everywhere, but the setup is very specific and requires maintenance to prevent outages and issues. With OAuth, OATH, and FIDO, there are many different standards, but they all work generally the same way. It’s still only a second factor. Passwords are still somewhat at play unless you’re going passwordless like so many large corporations.
My advice to prevent these breaches from impacting you: get a password management utility such as KeePass. Keep it local if you can. If it’s in the cloud, it can be stolen and brute forced. If you use KeePass, get a YubiKey, secure it with a certificate or OTP, and have a different, 20+ character passwords for EVERYTHING. Never reuse passwords. Ever. That’s why these breaches are so terrible.