Should 2FA always be on two different devices?

I hate to go off topic, but I will. I think that I understand the thinking that suggested this policy, but how do you log in to sites that require 2FA on the actual device where you run the authenticator app? Or do you just have a device that has the authenticator app and that device is not allowed to log in to any site or app that requires 2FA?

I’m thinking that every device that is running an Apple OS can be set not to unlock without a passphrase, so I’m not sure why that isn’t good enough for this process? It would require locking your Mac when you left your desk but you should do that anyway.

Plus, of course, there are authenticator apps that can be set to use their own passphrase before they show the codes (Authy can be set this way), so that sounds like it would be a better policy. (Plus, as Adam mentioned, there is already an Authy Mac app anyway.). Authy can be set to cloud sync the secrets for the codes, but it doesn’t have to be set that way - each machine can be an island.

Of course it might be better in your company’s case to require unlocking with a hardware token device, like a YubiKey. But I know that they’re not always supported.

Yeah, Doug, that’s exactly where the hardware token devices come in. We can use one of those if we need to log on our smartphones. There’s also a dedicated website we can use (from another device, eg. a computer) to generate a token that is then used to get the phone online. As I said, their reasoning is that 2FA needs to involve 2 separate pieces of hardware. For most use cases this involves Google Authenticator on a smartphone to get tokens so you can log on through your computer. I’m not saying this is a smart policy (we deal with DOE and DOD so we’re used to seeing all kinds of policies), but it is the policy we’re under. I just wonder if that means they will take away Google Authenticator as an option if they know it can be run on the same Mac that we’re trying to authenticate. Not really important (I’m just curious how this will eventually play out) so my apologies if this got us sidetracked.