I agree that using a password manager is best practice.SpaethCo wrote: ↑Sun Apr 28, 2019 4:38 pmI’m sad to say, this isn’t necessarily true.
2FA is the second authentication factor, so the important question is: how did the attacker get the password? The rise of 2FA (Google authenticator / SMS style) was based on the premise that people were picking simple passwords and re-using them everywhere, and that’s how passwords were primarily being compromised. More recent research has shown that the primary method of password theft is actually phishing, and unfortunately Google Auth / SMS / Authy 2FA is fully phish-able.
The best security protection these days is using a URL matching password manager (any password manager that does autofill), and using U2F tokens where they are accepted. Other forms of 2FA are just passwords, and those passwords can be stolen in real-time with minimal effort.
Simply stated: If you are typing in passwords to online sites using your keyboard or copy/paste, you are highly vulnerable.
But I stand by my statement that using two-factor authentication, even SMS, is still significantly more secure than not using two-factor authentication at all.
Another important practice: never click on any link to log in to any account.