When is 2FA not 2FA (or 1FA ;-)?

sfware

    So 2FA (Two Factor Authentication, or what T-Mobile likes to call 2nd Factor Authentication, or some call "multi factor authentication") has become more important as "time" passes (and see the other good post suggesting TOTP (time-based one-time password algorithm)).

     

    If you enable 2FA with T-Mobile, the option text says:

     

      "Each time you sign into your Account, you need to enter your password

       and complete an additional verification step that you choose"

     

    Please note the "and" in the text above from the T-Mobile site. And yes, this 2FA works well initially from the web site or app, but...

     

    Recently, with 2FA enabled for T-Mobile, from the current T-Mobile USA app for Android, and still logged in to the app, I get the 2nd part of 2FA (send a text code or answer security questions), but not the first (T-Mobile ID and password - already logged in ;-). Not sure how this is any more secure (especially the send a text with a code part) than without 2FA because it's acting like 1FA. Note that yes, I did initially authenticate with 2FA to the T-Mobile app, and did select the option to stay logged in.

     

    So from my phone, my expectation would be for not being prompted to be sent a text code (or answer security questions) to authenticate whilst still logged in (authenticated) to the app, almost every time I access the app, because I already did 2FA. Maybe T-Mobile has a timeout in the app causing this consternation that needs to be turned off?

     

    Thoughts?

      All replies