People have continued arguments from a thread in Group_Help where someone else had 2FA problems, so I probably left all of my "good evidence" there.toggle quoted messageShow quoted text
It is without any refutability however, proven that this is better in other words more secure in this scenario. I have made it clear with very recent real world cases where this would have been necessary to require the one-time-password from 2FA and it would have not stopped the unauthorized user if they were only required to enter the password.
You also asked about having both factors to disable 2FA. The reason I was not concerned about that is actually because it is common that the intruder has already aquired the regular password so protects nothing. Only reason they wouldn't use same methods to discover the user's OTP as well is because it changes every minute.
On Wed, Nov 4, 2020 at 07:19 AM, Mark Murphy wrote:
I don't know if we have good evidence whether using a password or 2FA is "better" or more secure in this scenario [...]