top | item 19795059

(no title)

SpaethCo | 6 years ago

2FA only helps if it's a 2-way authentication mechanism like U2F.

TOPT codes are completely phish-able using ridiculously easy to setup kits out there like CredSniper[0]. Set up a MITM proxy authentication site, get the user to live authenticate through the proxy, steal the session cookie, game over.

Some of the feedback that has come out of internal campaigns has been things like "I thought the URL looked weird, but the email said it was a beta site, and I got the Duo push notification for the second factor so it seemed legitimate."

That's the real danger in 2FA mechanisms outside of U2F: people believe it protects against phishing, and it absolutely does not.

[0]https://github.com/ustayready/CredSniper

discuss

Godel_unicode|6 years ago

This is dangerously untrue; while totp is clearly not as secure as a hardware token, it's much more secure than just username/password. It requires the adversary to do more work, and also provides more clues for the server that something phishy is going on. It's also much easier to sell to users, especially for free-but-critical services like webmail. You're not going to convince everyone to buy a $30 hardware token to protect their free Gmail account; meet your users where they are.

By all means, move towards a hardware-based 2fa setup. But don't let that prevent intermediate steps to improve security along the way.

Your example is also deeply flawed as it can be used to steal auth tokens for 2fa sites, even if they use Fido. Mitm is game over.