Another thing to keep in mind, while they can log in with your auth code if they do a man in the middle attack, they can NOT remove your auth without having physical access it to read the serial number printed on the back of it. While they do get one log in with this method, once you request the password be reset (even if they have changed it), they no longer have access until they steal your code in real-time again.

This pattern will set off alarms very quickly and the account will get locked. It's all a matter of degrees of safety. Without an auth, they will get your account, put an auth on it, and then YOU MUST PROVE IT IS YOUR ACCOUNT while they ransack it. With an auth, they mere get your login session, not your account. When you call in, if you can give the phone techs an authenticator code, things go much quicker.

In summary, having an auth makes the hacker's job so much harder and your job of recovery that much easier. Add up the time you will spend getting everything back after a hack and divide it by 10 seconds; that's how many logins you have to make between hacks for it to be quicker to not have an auth in the long run. It took about a week to get everything back on my one hacked account, and that was fast.

Go here and save yourself a week or more.

- Souca -