[MalPearce]

You don’t have to give MFA your phone number if it’s set up right.

The way I’ve set it up - the app generates a unique code representing your username and password, that is 512 bit encrypted, and creates a QR code from it. You scan the QR code into the authenticator app on your phone, and it sends the combined QR+emei encrypted in the other direction.

This way, your phone doesn’t even know what the code does, and the website doesn’t have your phone number.

If you unlock your phone while the authenticator app is waiting for MFA, the app recognises that as proof it’s your phone and biometrics. Sends a message to the MFA server, which then sends “yes, it’s him” to the website.

But when you log in, the authenticator service broadcasts the mfa challenge and only one phone can reply to it.

[Responsibility2nd]

Even I don’t understand what you wrote. So if you put up obstacles like this, the average FReeper will certainly just forget about FReeping

The answer is not going complicated with QR codes or two step authentication procedures and the like. Simply moderate the forum like it should be and zot agitators.

[palmer]

The way I’ve set it up - the app generates a unique code representing your username and password, that is 512 bit encrypted, and creates a QR code from it. You scan the QR code into the authenticator app on your phone, and it sends the combined QR+emei encrypted in the other direction.

I'm trying to understand how that is a second factor. I could use any phone to return the encrypted message, not just a particular phone. How would you determine that a particular phone was used?