(There is a highly related question, however I believe mine is not a duplicate, since it deals with resetting a password without access to the account, not changing it while being logged in.)
Say someone has gained access to my email that I used to register some accounts with. Assume also that these accounts all have some kind of 2FA, be it a 30-second code generated by an app, a U2F key – the type doesn’t matter for my question.
In my understanding, in order for the attacker to change the password of an account, there are two ways:
Log into the account and change the password in the internal settings, without using the associated email. Even if we leave our computer/phone unattended with an active session of the relevant account, therefore bypassing the need for the hacker to also guess the account password, the change is still impossible. This is because, as explained in the question linked above, this would require at least 2FA verification, possibly 2FA + the original account password.
On the log-in screen for the account, use the ‘reset password’ option to send a reset email to the email account that we assumed the hacker had access to. I am confused as to what happens then:
- is the 2FA needed to send the reset email in the first place? If not,
- is the attacker able to reset the password, but not to actually log in, since the 2FA is still in place? This essentially means that they can’t access the account, but nor can we.
- is the attacker able to reset the password and log into the account, since the 2FA somehow becomes void?
Of course, scenario 1) is the most desirable from the perspective of the legitimate user, 2) is significantly worse, 3) is tragic. But which one actually happens when someone tries to reset a password for an account with 2FA enabled?