...
Basically, if someone was attempting to compromise an account, they would not only need the username and password but also the device where the 2FA has been registered. Additionally, 2FA applications running on a device have their own layer of security that you need to get through before you can approve any 2FA request.
| Table of Contents |
|---|
Authenticator Applications
...
We suggest that you ensure that your devices running your authenticator application has it's time to set automatically. This should ensure that you device always has the correct time on it by using the internet to synchronise it's time with.
On a computer
You can do this by going in to the time on your computer (bottom right of main screen) and right clicking. Then choose Adjust date/time from the settings.
...
Ensure that Set Time Automatically is turned on.
...
This needs to match up with the relevant authenticator device you are using. If you are using a phone, your phone time and the computer time need to be the same.
Technical Reference
From the Internet Engineering Task Force (IETF) RFC 6238 - TOTP: Time-Based One-Time Password Algorithm (ietf.org) - notably Section 6 which talks about resynchronisation.