5 mo. ago • 85%

what is the worst thing can happen if you leak your 2FA/MFA secret?

13 comments

Your mfa is now mfa-1

30
- MFA - 1 = SFA
  
  aka password login
  
  1
  
  MFA is not necessarily only 2 factors and single factor is not necessarily a password.
  
  3
  
  Only under the assumption that 2>=M>1
  
  1
Worst thing? Someone with access to your password can now break into the associated account, and use that access to snoop or potentially permanently lock you out. E2EE data could be lost forever if they change the password and 2FA.

More likely? Unless you reuse passwords, or the associated site has been recently compromised, pretty low odds of compromise. If you suspect your 2FA has leaked, just get a new secret, easy peasy. Most reputable sites should alert you to a login on a new device, potentially giving you time to react or alerting you of snooping.

If your secret leaks without context on what site it's associated with, then unless your name is Taylor Swift, odds of someone associating it to a site, let alone the matching password, are astronomical.

8
Do you mean individual 10 second 6 digit codes? If so very little. If the underlying secret, then they can Google Authenticator codes as if they're you.

7
- Do you mean individual 10 second 6 digit codes?
  
  no, the underlying secret
  
  2
  
  Oh, well then they're just you, per that factor like having your password
  
  6
  
  Change your shit asap. Anyone who has access to it can theoretically auth as you on any site or product that uses that 2fa setup. They would still need to have your underlying credentials that would initiate the 2fa protocol exchange anyway, but if they have access to your underlying 2fa secret, its not too far fetched to believe they may have other credentials potentially, depending on how you've secured the access and where you store your credentials. To be safe and not paranoid, it's best to just do a root trust rotation and cycle the underlying auth creds
  
  2
Then your password (your other, "first" factor) is the only thing preventing an intruder impersonates you.

You'll still have to go through the hassle the now useless second factor puts you through, so you might as well update your second factor even if you trust your first to be very secure.

6
For accounts like Microsoft accounts, using a passwordless login you can login and take ownership of the account

5
Change it and be done

2

You've viewed 13 comments.