In-Application Defense

Once you have 2FA in place, you’ll definitely want to require it for login. In fact, 2FA at login time is what most people think of when they think of 2FA. But 2FA can also be required by applications before allowing particularly sensitive operations. Examples of sensitive operations include changing passwords, changing the email address used for the current account, and transferring money. Requiring 2FA for sensitive operations means that even if an attacker got past the login 2FA (for example, by physical access to an unattended, logged-in computer, or by Man-in-the-Middling a TOTP login), the phisher would need to bypass 2FA a second time, which is difficult.

Another defense for highly sensitive operations is a four-eyes check. In a four-eyes check, two different people must give approval before a system will perform highly sensitive operations. These approvals are audited. This significantly raises the bar for an attacker.

The four-eyes check and the additional 2FA challenge are both strong defenses. Additionally, they are both noisy defenses. Attacks that are stopped by either of them leave behind clear, high-quality signals for later analysis. Unfortunately, they must be used sparingly because they carry such a heavy usability cost. They can only be added to the most sensitive operations.

If you use a cloud hosting service like AWS,^[131] you’ll want to protect your AWS admin accounts with 2FA. These account credentials are just about the most important data you have. If the credentials for these are leaked, or if the admins reuse credentials from another site that gets compromised, then attackers will be able to take over your entire cloud infrastructure.