Here’s a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.
Before answering the question, let’s back up a bit and explain two-factor authentication (or 2fa). To borrow an analogy I first used two years ago: 10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.
Passwords can be stolen though, whether through a server database breach, or via a phishing scam, or by keylogging malware that captures the password as you enter it into a webpage.
