top | item 28665149

(no title)

hansy | 4 years ago

Using a separate device (yubikey, mobile phone, etc) is always recommended, but this is a bit more secure than meets the eye. Someone would have to get access to your Slack account to view the codes, and to do that, they'd have to first get access to your work email (because Slack is password-less and emails auth links to you).

discuss

weirdo28|4 years ago

To do this semi-securly (because slack accepts regular passwords) you'd need validate the user's own mfa before handing out these mfa creds to prevent a slack account compromise from escalating... but slack can't do that unless there was an extension in the plugin somehow to prompt for an otp code.

akerl_|4 years ago

Slack happily uses passwords; the “magic links” via email are an additive feature.

hansy|4 years ago

Oof you're 100% right; definitely missed this.