2FA is Safer but not Safe

6th August 2020

2FA does increase website security but don’t think this makes you purely Safe. Web pages were originally designed to be state-less when they only showed public information. As the technology advanced, they became more complex and included private information and we needed to logon to see information that is only for our eyes, or to prove that we are who we say we are. To make this jump from state-less to state-full websites used a cookie to save our information and our progress such as who we are and what is in our shopping cart. This cookie is saved on YOUR PC not on the web server. The downside is that after we authenticate the underlying website believes anyone with your cookie, is you. So if a malcontent can get your cookies, over the network or via malware on your PC or even via javascript in another window, they can steal any session you have, INCLUDING any session that is authenticated by 2FA. IE your online banking.

Mitigations; Eventually browsers developed a tag called HttpOnly that helps to protect your cookies from being stolen by javascript. you can see this tag in Firefox by hitting F12, Storage Tab, Cookies, click on a cookie in the middle column, the right “Data” window about 5 items down you should see a tag named HttpOnly: true/false.

Some of the cookies are unimportant and don’t need HttpOnly but if it’s a site you logon to, most should be protected.