Why 2FA Doesn’t Actually Protect You From Being Hacked

Ivan — Tue, 21 Apr 2026 17:30:40 +0000

Two-Factor Authentication (2FA) is often treated as a silver bullet.
“Enable 2FA and you’re safe.”
That’s a dangerous assumption.

2FA improves security, but it does not eliminate the real attack surface — which is still you and your device.

1. Phishing Still Wins

Modern phishing isn’t about stealing passwords later — it’s real-time.

Flow:

Fake website (pixel-perfect copy)
You enter login/password
You enter 2FA code
Attacker instantly logs in

No brute force. No hacking.

You just handed over everything.

2. MITM Attacks: You Don’t Even Notice

With reverse proxy tools, attackers act as a middle layer:

You see the real site
You interact normally
Your session gets intercepted

Once attacker gets your session cookie:

2FA is no longer needed at all

3. Compromised Device = Broken Security

If your system is infected:

OTP codes can be intercepted
Clipboard is monitored
Sessions are stolen
Browser is hooked

At this point:

2FA becomes just a checkbox

So Why Do We Still Use 2FA?

Because it protects against:

✔ Credential leaks
✔ Database breaches
✔ Weak passwords

But it does NOT protect against:

✖ Phishing
✖ MITM
✖ Malware

What Actually Works Better

Real-world security comes from reducing trust assumptions:

Unique passwords everywhere
Domain-aware autofill
Isolation of secrets
minimize manual input

Where Lockly Changes the Game

Most tools treat 2FA as “the second step”.

But the real problem is earlier — how credentials are handled.

With Lockly (https://lockly.at):

Autofill works only on correct domains → phishing resistance
Credentials are isolated → no reuse
2FA secrets can be stored alongside passwords
Less manual input → less chance to leak data

The goal is not “add more steps”
The goal is “remove human mistakes”

Final Thought

2FA is not useless.

But it’s also not what people think it is.

Security doesn’t fail at encryption.
It fails at interaction.

And fixing that layer is where tools like Lockly actually matter.

A Password Manager That Doesn’t Trust Its Own Server

Ivan — Sun, 12 Apr 2026 17:46:24 +0000

Most password managers say they are secure.

But very few are built on a simple idea:

The server should not be able to read your data at all.

I recently started using a tool called Lockly — a password manager built with a zero-knowledge architecture.

Lockly password manager focuses on doing one thing right — secure storage and synchronization of sensitive data.

No big launch. No marketing noise.

Just quietly released.

What makes it different

The core idea is zero-knowledge architecture.

All sensitive data is encrypted on the client side, before it ever leaves your device.

The server only stores ciphertext.

It literally has no ability to decrypt anything.

How it works (simplified)

Encryption flow looks like this:

You have a secret phrase
It is processed using Argon2id (key derivation)
A strong encryption key is generated
Data is encrypted using AES-256-GCM
Only encrypted data is sent to the server

Even if someone gets full access to the database:

→ they only see encrypted blobs

Without your secret — it’s useless.

What is actually encrypted

Everything that matters:

logins
passwords
URLs
notes

There is no “partial protection” — it’s all encrypted before sync.

Local-first approach

Another interesting part — it’s offline-first.

The app stores data locally in the browser (IndexedDB), encrypted as well.

This gives you:

instant access without waiting for network
full functionality offline
sync happens in the background

Sync without trust

Synchronization is handled separately:

local changes are queued
when online — pushed to server
remote updates are pulled back

The backend only coordinates this process.

It does not participate in decryption.

Why browser-based actually matters

There’s no heavy client installation required.

You can use it directly from a browser.

Even in incognito mode.

That means:

nothing persistent on the machine (if you don’t want it)
no obvious installed app
works across devices instantly

Depending on your threat model — this can be either convenience or an extra layer of operational security.

Why I’m sharing this

I’ve tried a lot of password managers.

Most of them are:

overloaded
too “cloud-dependent”
or require trusting the backend too much

This one is different.

It’s minimal.

This makes Lockly password manager a practical solution for users who care about privacy and control.

But it gets the fundamentals right:

encryption before transport
zero-knowledge backend
simple and predictable sync

And honestly — that’s what matters most.

Final thought

Security is not about features.

It’s about what the system is fundamentally capable of doing.

And in this case:

The system is fundamentally incapable of reading your data.

—

If you're curious, I can share more details about the architecture or setup.

DEV Community: Ivan