/tags/passkeys/ Recent content in Passkeys on Napat's Inverse Blog Hugo en-us Fri, 27 Mar 2026 13:15:22 +0700 /2026-03-27-two-factor-authentication-is-not-what-you-think/ Fri, 27 Mar 2026 13:15:22 +0700 /2026-03-27-two-factor-authentication-is-not-what-you-think/ <p>Most people believe they understand 2FA. You have a password. You have an app that generates a six-digit code. Two things. Two factors. You are protected.</p> <p>They are not entirely wrong. But they are right about the mechanics and wrong about what those mechanics actually guarantee.</p> <hr> <p>The original idea behind multi-factor authentication was elegant. Security researchers observed that any single secret can leak. Passwords get stolen. Databases get breached. So they proposed combining secrets from fundamentally different <em>categories</em>: something you <em>know</em>, something you <em>have</em>, something you <em>are</em>. The key insight was not the number of steps — it was orthogonality. A thief who steals your password from a server breach still cannot log in because they do not physically possess your phone. The factors are independent. Compromise one, and the other remains intact.</p>