My company has a lot of people working from the Magento admin. To reduce risks I’ve enforced 2FA with Google Authenticator. It would seem the Magento admin is now well protected.
But I just tried using the REST API with a 2FA-protected account and I was able to so with just a username and password – there was no 2FA interference. Through the API I can do same things that I’d be able to do in the Magento admin.
Doesn’t that mean 2FA is there just for show and is easily bypassed? A person with stolen credentials would just use the API instead of the admin to achieve the same result, wouldn’t he?
Or am I overlooking something?