Well the big issue is that it prevents future access to your account. Let's say you have a simple 2FA device (no screen) and are using online banking. First you login via a compromised machine. The attacker MITM'ed you, so can see your account.
1. The bank should require a confirmation with your token to send money. If you don't send anything, the attacker can't either.
2. In the future, after the logout timeout, you know the attacker can't even read your account.
It greatly reduces the attack surface you need to worry about. Any attack they do must be right then.
1. The bank should require a confirmation with your token to send money. If you don't send anything, the attacker can't either.
2. In the future, after the logout timeout, you know the attacker can't even read your account.
It greatly reduces the attack surface you need to worry about. Any attack they do must be right then.