top | item 13373320

(no title)

_wdh | 9 years ago

That's scary. Would having 2FA enabled on your Gmail account protect you from this kind of attack?

discuss

Depends on the type of 2FA. If it's using U2F, then you'd be fine as that is tied to the domain name of the site you're on, but if it's using TOTP/HOTP (i.e. Google Authenticator), and the phishing site asked you for your 2FA code, and you gave it, then you would still be successfully phished.

thomasahle|9 years ago

Is the difference here that TOTP/HOTP is entered by the user, while U2F is entered automatically?

dividuum|9 years ago

Not necessarily. Depends on how sophisticated the attack is implemented. They are MITM'ing you at that point, so it's entirely possible to not only capture username/password but also the 2FA token.

crashdown|9 years ago

Must do surely. The attackers would have your email and password but wouldn't be able to login?

slig|9 years ago

What is stopping them from showing the TFA screen and asking for you to type the number?

volent|9 years ago

Yes

hvidgaard|9 years ago

Yes. That is the point of 2FA. Require something more than login credentials, preferably something physical you possess for an actual login to be successful.

spydum|9 years ago

Incorrect: U2F would prevent this, but simple 2FA challenge could simply be displayed at the next screen of the form, and once you submit, the malicious server could immediately use the token you provide. U2F does mutual auth of the u2f service, so it should fail.