1 upvotes, 0 direct replies (showing 0)
View submission: How to keep your Reddit account safe
most likely in the case that you lose access to your MFA app, you can fall back to some set of checks that allow you to strip it.
common scenario is for people using google authenticator app, which is 100% local to the device, so if your phone gets lost/stolen/dies etc, you would have 0 recourse in getting past any mfa-enabled connection.
verifying your email allows reddit to say "okay so, you dont have mfa, ok. we have an email on file, we will email you a link to disable mfa."
this means the attacker would need the following to break through:
1. your email login and (presumable) your email MFA
2. your reddit mfa token (or mfa being stripped)
3. your reddit password, which should be (in theory) different from your email.
this puts the level of effort for majority of phishing and hijacking too high to make it worthwhile, leaving only specific targeted attacks against your person's online persona.
Again, mfa is not end-all be-all but its a tremendously helpful deterrent that is designed to make it very very difficult for an attacker to obtain all moving pieces at once.
There's nothing here!