>>
>> So I admit I've not done it. Have I misunderstood how it works?
>>
It all depends on how it is implemented.
Two-factor authentication can work in a number of ways, but generally relies on checking "something you know", and "something you've got". (though there are little-used alternatives to the latter).
The "something you know" is generally password/pin, etc. The "something you have" might be quite varied.
Sending you a code to a known 'phone number is one way (subsequently entering the code proves you have the 'phone). As above, if the "signature" of your device can be captured (or possibly even IP address, though this is rather more risky) then a password entered from a known device might be considered enough (though, frankly, I don't consider it as safe as a one-time code, since the password might be auto-inserted by a browser).
I suspect a number of ex- and current IT people on here might well have been au fait with "tokens" that generated one-time codes for secure log-ins (proving you had the token).
|