2FA Effectiveness Debate

Usually companies send the 2FA token once the password has been entered. So someone has your password and you're only saved by 2FA.So you can start by changing your password maybe?

The attacker could proxy the 2FA request from the real site using the password you enter and therefore you wouldn't be protected.

Is this something that 2FA would protect against? Doesn't seem like it...

Yes. It's not 2FA anymore but it still protects you when your password gets leaked.

I'm not sure 2 factor would help. The hackers could echo his 2 factor key he typed into their fake login page to the real login page.

2FA doesn't help if they used SSH access

2FA protects two different attacks: 1) Hacker obtaining your password (through phishing, compromise of third party, etc.) 2) _You_ actually being compromised yourself somehow.It is still effective for the first protection if you store your codes in your password manager, but less for the second. I say less, and not completely, because if your machine is compromised, gaining access to your phone too is only a matter of time. Of course this can be mitigated why proper hardware tokens, but most

With two factor authentication it won't hurt you, even if your username and password gets compromised.

2 factor doesn't protect against phishing. It's trivial for a phishing site to ask for a 2fa code, and then immediately use that to sign in on your behalf.

Not really. The phisher can just ask for the second factor the same way they ask for the password.