Magento 2 security question

My company has a lot of people working from the Magento admin. To reduce risks I’ve enforced 2FA with Google Authenticator. It would seem the Magento admin is now well protected.

But I just tried using the REST API with a 2FA-protected account and I was able to so with just a username and password – there was no 2FA interference. Through the API I can do same things that I’d be able to do in the Magento admin.

Doesn’t that mean 2FA is there just for show and is easily bypassed? A person with stolen credentials would just use the API instead of the admin to achieve the same result, wouldn’t he?

Or am I overlooking something?

submitted by /u/Necessary_Mammoth
[link] [comments]