Why is it that some services, when they conduct 2FA ask you to rewrite a code from an app, even if that app is part of that service's infrastructure? For example, when I log in via the web to messenger, as part of 2FA the messenger app on my phone not only asks for consent, but also shows a code that needs to be rewritten for the web service.
What additional security does this code introduce over just giving consent in the app? The icloud login works similarly, and a different approach is represented by google, in which when logging in via the www under 2FA you just click consent in the app, without the code. Is google's solution anything less secure?
Best Answer
It ensures the target human is on both the app and the website.
If you just click "its me!" or similar, then when all your money is stolen you can say
etc
If you have to repeat the "are you sure this is what you mean" from the app on the website. Then those excuses don't work.
Does that count as "more secure"? I guess it's arguable. It would be a tough attack to pull off where you try to time you attack to the same time the user is doing something so they click twice and assume it's just a bug.