top | item 39873841

(no title)

> I don't think phishing is such an obscure scenario.

For a typical person, maybe, but for a tech-minded individual who understands security, data entropy and what /dev/random is?

And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

I'm also looking at this from the perspective of an individual, not a service provider, so the activities of the greater percentage of users is of little interest to me.

discuss

mr_mitm|1 year ago

> And I don't see how MFA stops phishing - it can get you to enter a token like it can get you to enter a password.

That's why I qualified it with "certificate-based". The private key never leaves the device, ideally a yubikey-type device.

RaisingSpear|1 year ago

> That's why I qualified it with "certificate-based". The private key never leaves the device

Except that phishing doesn't require the private key - it just needs to echo back the generated token. And even if that isn't possible, what stops it obtaining the session token that's sent back?