My thoughts on 2fa for mobiles
It’s just another confirmation that the remote app is in fact being used from an approved or known device.
My opinion is it not so much for security as much as some think it is.
It is not really 2FA if on the same device?
Eg If l leave my mobile open and lying around then almost everything is accessible to anyone anyway.
Often the 2fa is on the mobile itself, app or txt etc.
If adding my own office 365 account to my email app or any site needing to login on the phone, it will open the authentication app and approve almost automatically. This is for my own accounts as l have username password and the 2fa.
However if my credentials are compromised, an unknown person could download apps like itarian remote, could in fact sign in but would fail to bypass the 2fa challenges.
Take paypal as an example, requires 2fa, easy on the device if using an txt or 2fa app, but again if someone else tried on another device they would also fail to complete a payment.
The remote app should have 2fa, but it also needs the end user to take precautions as the mobile device is not super secure enough.
Would a pin or biometric to unlock the remote app be a good idea, YES mandatory and no exceptions.
It is something only the user should know or have
Just like banking apps require, at least the ones l use in Australia.
It’s different when using a pc or Web login as the 2fa is on a different device like a mobile or usb key etc, that’s what l consider proper 2FA.