30Kas
Is using TOTP from Authenticator app on a mobile device instead of passwords inherently 2FA?
A related discussion can be found, specifically addressing the security implications of using only TOTP for single-factor authentication However, in my view, using a TOTP code from a Google Authenticator on a mobile device effectively constitutes two-factor authentication. Provided that every user secures their phone with a PIN – which is "something they know" this would represent the first factor. Possession of the device itself becomes the second factor, "something you have." Therefore, employing TOTP alone instead of passwords should be considered as two-factor authentication, shouldn't it? With the exception of the first registration step, where the user is granted the secret seed for TOTP generation.
