I have a rather academic question: Following recommendations I activated 2FA, using access tokens for push and pulls etc. And it works perfect, no problem. My question: How is this (access token) 2FA? Regarding security: what is the difference to using a password? There is none, is there? Am I wrong?
How is this (access token) 2FA?
Regarding security: what is the difference to using a password?
You are correct that the use of a generated token does not involve a 2FA in the process of authentication. It is accepted in the same way a username and password is in HTTP Basic authentication.
The difference lies in the scopes granted over each generated token (read, write, etc.). In case of a password being intercepted, control over an entire account is lost. With proper practice of using limited-scope tokens, limited lifetimes, and separate tokens for each authenticating application, you can control the extent of damage caused by a leak of the access token, and also easily revoke the token to prevent further use immediately.
The token’s use in projects must also be secured of course, but it works out better than a password in the event of a credential leak from a vulnerable system/application.
I understand. Thanks a lot for your comprehensive response!