> If the second factor were enough security why even have the password?
Having two factors is better. But obviously neither of them should be a conventional password because passwords are crap.
You can have WebAuthn set to do usernameless authentication, with the two factors both being local. So when you visit a site with this behaviour and it wants authentication, you maybe touch your fingerprint sensor on your phone, that's one factor, having the phone is the other factor, that's two factors, the phone hands over credentials including a large identifier that's equivalent to a user ID for the site, plus its assurance that you are present (based on the fingerprint) and a signature proving it is still the same phone used to sign up for this method. No typing your email address, no passwords, much better security.
> He can just be 1000000 clients each only trying once. And if you block them you also block the user.
Yes, if you rate limit attackers you also rate limit the real user.
But as an attacker, what value am I getting from that? Maybe it's a chargeable service I can sell? It certainly doesn't help me steal gift cards.
$1000 per hour to annoy a friend by preventing them from logging into their email? Not many buyers at that price.
$100 per hour? $10 per hour? $1 per hour? Remember that to fuel this you are throwing away a botnet so that you can hammer on the login until you get blocked, and botnets aren't that cheap to buy.
Yes you can have proper security. But this is about the Microsoft solution where you don’t, where you can first guess the password and then guess the 2fa code. Which is not very smart, considering it’s not that much harder to check both at the same time and fail when either is wrong.
They can switch to display the right one when you enter your email address, they already do this. And of course indeed it doesn’t work with methods like sms and emailing codes, both of which are not secure anyway.
> They can switch to display the right one when you enter your email address, they already do this
So the effect here is this gives bad guys a free targeting feature. Just type in any email addresses and Microsoft will tell you which 2FA is enabled if any.
> And of course indeed it doesn’t work with methods like sms and emailing codes
So, it doesn't help at all for the good case, and it breaks the bad case worse, what was the goal again?
WebAuthn is the good case, which is the case you didn't break since it doesn't care about any of this. And you made the bad cases worse. So good news I guess, "At least Microsoft aren't as bad at this as tinus_hn".
Having two factors is better. But obviously neither of them should be a conventional password because passwords are crap.
You can have WebAuthn set to do usernameless authentication, with the two factors both being local. So when you visit a site with this behaviour and it wants authentication, you maybe touch your fingerprint sensor on your phone, that's one factor, having the phone is the other factor, that's two factors, the phone hands over credentials including a large identifier that's equivalent to a user ID for the site, plus its assurance that you are present (based on the fingerprint) and a signature proving it is still the same phone used to sign up for this method. No typing your email address, no passwords, much better security.
> He can just be 1000000 clients each only trying once. And if you block them you also block the user.
Yes, if you rate limit attackers you also rate limit the real user.
But as an attacker, what value am I getting from that? Maybe it's a chargeable service I can sell? It certainly doesn't help me steal gift cards.
$1000 per hour to annoy a friend by preventing them from logging into their email? Not many buyers at that price. $100 per hour? $10 per hour? $1 per hour? Remember that to fuel this you are throwing away a botnet so that you can hammer on the login until you get blocked, and botnets aren't that cheap to buy.