I'm trying to understand how that is a second factor. I could use any phone to return the encrypted message, not just a particular phone. How would you determine that a particular phone was used?
An IMEI (International Mobile Equipment Identity) is a unique 15-digit code that identifies a mobile device, like a phone, similar to a VIN number on a car.
So 8n simple terms the MFA service generates an encrypted string from “FREEREPUBLIC-USERNAME-PASSWORD” and turns it into a QR code.
Nothing else knows how to decrypt the string, except that specific MFA app. If you use a photo app, QR scanner app, or Google Authenticator, they’ll throw an error because they can’t decrypt it.
When you scan the code, your phone adds its EMEI. So the MFA server receives “FREEREPUBLIC-USERNAME-PASSWORD-EMEI”.
Registration over.
From that point on, your username and password are tied to that specific app and the specific handset. A simple unlock challenge regenerates the encrypted string, ie “this is my username, this is my password, and I’m using THIS phone with THIS EMEI.”
If that matches what you registered, you’re logged in successfully.
If you lose your phone, you can go through the registration process again on the replacement phone, which can be done by emailing you a temporary code.