I think this meme, describes my thoughts when I read this thread. I am not trying to insult the person but only the content tho I may fail to do so at some point...
NO, Auth apps and MFA (2FA is part of MFA) DO NOT BREAK ANONYMITY
I would not have a single issue if this was phrased in the form of a question and the OP was interested to know more, but he phrased it as an absolute statement which (in his head) is true.
I mean it's not like there aren't search engines to ask things like:
* Do authenticator apps hold any logs/records?
* How does MFA work?
* Can I be identified when using an authenticator app
* Why do they ask for my phone/personal device??????????? <---hint most important
I'll give some very simple answers not only for the OP's benefit but for others who may read this god awful title and think the worse, and after that, the OP and whoever else has doubts can search the net for relatively detailed info
Q:
Do authenticator apps track my activity or keep logs/records?
A: No, authenticator Apps Generate code locally and even off the internet and only keep the sites on the device itself.
Q:
Can I be identified when using an authenticator app?
A: No, the IP/Location is not visible to anyone as the app doesn't need the internet to generate codes.
Q:
Why do they ask for my phone number/personal device?
A: Because how the hell else would any auth app know that you... are you?
I mean it's in the name. Authenticator as in authenticating that you are the real you.
How else can one stop me from using an auth app to pretend I am you? If they didn't "bind" an auth app to a person, anyone can download an authenticator and pretend they are everyone else...
This is so wrong on so many levels...
The company (any company) knows only 2 things, 1. A phone number/device (not even your name), and 2. the fact that you are installing an auth app. After that point, they have NO knowledge of where you used it, how many sites you used it, or when you used it. So what exactly will they say to authorities? There is no LINK between your username here, and your phone number or the auth app. We don't even know what auth app each and everyone is using. Some use MS, some Google, some winAuth... That is why it is called TWO FACTOR, and is secure, cause we don't know the second factor which is your device that has the authenticator app and neither anyone else that will try to steal your account and pretend to be you, either here, or at your bank, or at shopping online.
Even if a company has your phone number, it's ONLY proof that the auth app is installed on your device and NOT proof as to when and where it's used. NO ONE else knows that but your phone/PC (look at the questions above).
And to close this... did anyone tell you that it's illegal to visit a site? ANY site? The unlikely fact that there is proof that you have an auth app only proves that you MAY requested a secure code and asked to be authenticated by... possible ANY site that uses MFA. No one but you can link your auth app to a specific site.
Using 2 step verification is in this sense much less secure!
At least until we find a 2 step mechanism that doesn't destroy anonymity.
I hope now you see how wrong this is. MFA especially if done right from both sides (you and us) can provide much greater security. Of course, if you get a virus that steals your cookies, it may bypass the MFA at least till you request a new key, but then again, it's your fault if you got an info stealer and not of MFAs
Please research before you form an opinion and make statements such as the one you made and don't hesitate to ask if not sure.
When you write publicly that MFA can reveal you're identity you potentially can scare other people.
