Services which support 2FA usually provide recovery code(s) to ensure that if access to the linked OTP device is lost, the user can still sign in.
However, this seems to defeat the point of 2FA.
Without 2FA, an adversary can access an account by using brute force to obtain a password.
With 2FA, such attack is insufficient, as the adversary would remain locked out without access to the linked device used as a second factor.
With 2FA recovery codes, however, the adversary can brute force these too.
Therefore, it seems like a 20 character single password is much stronger than a 10 character password with OTP as a second factor if this comes with a 10 character recovery code.
This is because it will take longer to brute force a 20 character password than to brute force a 10 character password followed by another 10 character recovery code, because there are far more possible combinations in the former. (in the same way 10x10 is bigger than 5x5 + 5x5).
Increasing the length of a password by the character number of a 2FA recovery code therefore seems like a better security strategy than enabling 2FA.
Enabling 2FA increases the risk of becoming locked out of an account, as it requires the saving of an additional password (recovery code). It doesn’t seem worth it.
User error is usually greater than the services error, thats why 2FA is advised.
An online service can’t really get brute forced, unless their data (hashes) get leaked. And when this happens they usually inform you to change your password.
Also the term “recovery codes” you are using is wrong, you mean backup codes.
Why can’t it? Do all good email providers block access to an account if there are too manny failed login attempts? Even when such login attempts are not through their own applications, but IMAP?
TOTP is based on a “password”, too. The codes are derived from a secret key, that looks like this: HVR4CFHAFOWFGGFAGSA5JVTIMMPG6GMT
A strong secret, whether that be a password or a TOTP secret, cannot be brute forced. The reason TOTP improves security is because a password is known to the user so it’s vulnerable to phishing or coercion.
Brute forcing a 10 character password then 10 character recovery code may “technically” be easier. But most sites block brute force attempts. Let’s say they got your password hash in a dump and then and brute force recovery codes - I also doubt a product would allow brute forcing recovery codes before locking an account. While that depends on the site, I’d say 2FA mitigates risk of assuming your password alone is sufficient.
With that, as others have said, TOTP is quite resistant to other attacks.
Someone really good at math will have to compute the probability of this.
Say an online account gives you 6 backup codes. A hacker would have to know your username and password and then start brute force attempts. Typically most reliable sites will note something is going on, and might prompt you to change your password or just lock your account, thus going to backup backup measures for that workflow and for you.
A million codes, each valid for 30 seconds before rotating, and somewhere in there is 1 to maybe 10 static codes. Still going to be hard to find and exploit.
OK… so if the purpose of 2FA isn’t to protect from brute-force (which wouldn’t work for online products, apparently), then can I have some concrete examples of attacks which would work. Phishing and coercion are mentioned, but I don’t know how a security conscious person could fall prey to such.
Much more likely, is me enabling 2FA to and somehow making a mistake in saving the recovery codes, and then loosing my device, and then loosing access to my account. I think?