top | item 38452500

(no title)

>I have my password manager and can login with 1 click to all my sites. 2FA is always a pain in the ass and always extra effort on something my password manager already protects me from.

So I think there are a few potential issues with this argument based on assumptions you're making. I'd argue this isn't entirely true because:

1. Many password managers allow you to manually copy the password into your clipboard, which mean you could paste it somewhere that's unsafe / untrusted. Someone could then use this password to authenticate as you. Many sites disallow token reuse, so once used if you accidentally pasted that somewhere as well an attacker couldn't reuse the token.

2. Similarly, if someone has managed to exfiltrate login details you provide without being able to also obtain the session cookie sent back, and the site enforces one time use of MFA tokens, then the MFA token can also avoid a replay attack of your login details.

I'll admit the second one may be a bit contrived, because if they can exfiltrate login details it seems likely they could also just obtain the session cookie. But if said cookie is tied to a certain IP address, then that cookie is useless to them and they wouldn't be able to replay the credentials.

discuss

No comments yet.